'Most popular' torrent client laced with Android malware

By

Rooted users targeted.

Rogue developers were found to have laced the world's most popular torrent client with code that foisted unwanted and potentially malicious software onto Android devices, researchers say.

'Most popular' torrent client laced with Android malware

Xunlei Networking Technologies admitted now fired staff had introduced functionality to the Xunlei (aka Thunder) download manager that would drop malware on Windows boxes and push heavily-obfuscated code to any connected Android device.

Xunlei was rated the most popular torrent client in a 2009 report by bittorrent site the Pirate Bay. Recent statistics do not exist, however the uTorrent client could be the most popular outside of China.

"Not only were the binaries signed with [Xunlei Networking Technologies'] certificate, but the domain kankan.com, whose subdomain is used as StatServer, corresponds to the company’s video-on-demand service. So there is little doubt about the company’s implication in the production of this piece of software," ESET researcher Joan Calvet said.

Calvet said the company said that staff in one of its divisions were responsible and have been fired.

Thousands of Chinese users who downloaded the compromised Xunlei program during August and September could have had their connected devices compromised.

 

The installed apps
The installed apps

 

The malware worked according to Calvet and her team by registering a functionless Microsoft Office plugin that established persistence on user machines.

It would retrieve a series of commands from a Xunlei-run servers and download the Android Debug Bridge to locate and communicate with Android devices connected via USB. The debug bridge was part of Google's Android software development kit.

Only Android devices with debugging mode enabled could be infected. This meant that rooted devices -- those modified to run custom operating systems -- were most at risk because the mode was activated during the root process.

Seemingly innocuous Chinese-language software was then uploaded to Android devices and installed without the need to ask user permission, a feat made possible thanks to the enabling of debug mode.

Deeper analysis was available on the ESET blog.

Got a news tip for our journalists? Share it with us anonymously here.

Copyright © SC Magazine, Australia

Tags:
androidbittorrentmalwaresecurity

Sponsored Whitepapers

Modern Identity for SAP and Beyond: Replace SAP IDM with Saviynt
Modern Identity for SAP and Beyond: Replace SAP IDM with Saviynt
Saviynt Simplifies GRC and Access Control for SAP and Beyond
Saviynt Simplifies GRC and Access Control for SAP and Beyond
Futureproof Your Business with Datacom and AMD: Seamless Windows 11 Transition
Futureproof Your Business with Datacom and AMD: Seamless Windows 11 Transition
See everything. Do more.
See everything. Do more.
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra

Events

Most Read Articles

NSW Police to embark on $126m IT overhaul

NSW Police to embark on $126m IT overhaul
CBA looks to GenAI to assist 1200 'security champions'

CBA looks to GenAI to assist 1200 'security champions'
Victoria's first government tech chief steps down

Victoria's first government tech chief steps down
SA Water plans 'once-in-a-generation' core technology uplift

SA Water plans 'once-in-a-generation' core technology uplift
techpartner.news logo
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
"It's an exciting time to be part of the health and aged care sector"
"It's an exciting time to be part of the health and aged care sector"
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Orro claims Australia first with managed digital asset discovery service
Orro claims Australia first with managed digital asset discovery service

Log In

  |  Forgot your password?