DualToy is a Windows trojan that is used by attackers to download malicious apps onto Android and iOS devices via USB connection. This is also known as “sideloading.” When a computer running Windows OS becomes infected by DualToy, ads begin to appear and browser settings on the system are altered. The presence of Android Debug Bridge (ADB) is required for DualToy to compromise an Android device and iTunes is required for an iOS device to be compromised. If the presence of either of these applications are not detected, they are downloaded onto the Windows system. Once the mobile device has been infected, DualToy contacts its C2 server to download a list of URLs and then installs numerous Chinese game apps. It also collects several pieces of system and device information and sends it to its C2 server. It is important to note that DualToy uses existing pairing records on infected PCs to establish a connection with Androids and iOS devices. This malware first began to spread in January 2015 and is still active. There have been 8,000 samples belonging to this family observed to date.

Reporting and Technical Details

  • September 2016: A previously discovered trojan is observed with the new capability of infecting iOS devices connected to compromised Windows systems via USB. (Palo Alto Networks)

One example of the DualToy trojan. Image Source: Palo Alto Networks