DualToy Windows Trojan Secretly Sideloads Apps on Android and iOS Devices

Share this…

Number of DualToy infections is on the rise. A trojan targeting Windows computers is secretly sideloading mobile applications to any Android or iOS devices the user is connecting to infected PCs via USB cables.

The trojan, named DualToy, has been active since January 2015, but in its original form, it was only capable of infecting Android devices.

DualToy received support for infecting iOS devices six months later, but the number of real-world infections only recently spiked, according to a Palo Alto Networks report, reaching 8,000 different samples detected in the wild.

Trojan downloads and installs ADB, iTunes drivers for Windows

Under the hood, DualToy is coded in C++ and Delphi, and the first thing it does after infecting a computer is to download and install the Android Debug Bridge (ADB) and the iTunes drivers for Windows.

These two applications are used by the trojan’s process to interact with any device connected to the PC.

The trojan assumes that any device attached to the computer is the owner’s device. As such, the trojan uses pairing/authorization records already found on the user’s PC to try and authenticate on the mobile device that’s connected via a USB port.

Trojan downloads and installs rogue mobile apps

After successfully accessing the device, DualToy contacts it’s C&C server, gets a list of apps to install, downloads the apps, and then installs them on the user’s device.

To avoid complications with the app installation process, for Android devices, DualToy also downloads special code from the C&C server and runs it on the device. This code roots the device and gives DualToy the ability to install apps without user interaction, in the phone’s background.

For iOS devices, the trojan downloads and runs code that collects details such as IMEI, IMSI, ICCID, serial number and phone number. The purpose of this operation is currently unknown.

DualToy steals Apple IDs and passwords

Also for iOS devices, DualToy will collect the user’s Apple ID and password, and send it to its C&C server. Palo Alto notes that this behavior is similar to the AceDeceiver iOS trojan.

All the apps installed by DualToy are used to show ads, which generate a profit for the trojan’s operator.


DualToy isn’t harmless. If the user never connects a mobile device to the infected PC, the trojan will modify browser settings in order to inject ads in accessed websites.

“Although this attack vector’s capability can be further limited by additional mechanisms (e.g., ADB enabling, iOS sandbox) which make this threat not so severe, DualToy reminds us again how attackers can use USB sideloading against mobile devices and how malware can be spread between platforms,”  Claud Xiao, security researcher for Palo Alto, said.