{ "id": "6807e6d7-0b2c-43cc-80db-64043f493202", "created_at": "2026-04-06T00:10:04.416289Z", "updated_at": "2026-04-10T03:20:46.258351Z", "deleted_at": null, "sha1_hash": "1743fa07791ddc4ec5f1872d411df30ff9a648c0", "title": "DualToy: New Windows Trojan Sideloads Risky Apps to Android and iOS Devices", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1837861, "plain_text": "DualToy: New Windows Trojan Sideloads Risky Apps to Android\r\nand iOS Devices\r\nBy Claud Xiao\r\nPublished: 2016-09-13 · Archived: 2026-04-05 21:16:23 UTC\r\nOver the past two years, we’ve observed many cases of Microsoft Windows and Apple iOS malware designed to\r\nattack mobile devices. This attack vector is increasingly popular with malicious actors as almost everyone on the\r\nplanet carries at least one mobile device they interact with throughout any given day. Thanks to a relative lack of\r\nsecurity controls applied to mobile devices, these devices have become very attractive targets for a broad range of\r\nmalicious actors. For example:\r\nWireLurker installed malicious apps on non-jailbroken iPhones\r\nSix different Trojan, Adware and HackTool families launched “BackStab” attacks to steal backup archives\r\nof iOS and BlackBerry devices\r\nThe HackingTeam’s RCS delivered its Spyware from infected PCs and Macs to jailbroken iOS devices and\r\nBlackBerry phones\r\nRecently, we discovered another Windows Trojan we named “DualToy” which side loads malicious or risky apps\r\nto both Android and iOS devices via a USB connection.\r\nWhen DualToy began to spread in January 2015, it was only capable of infecting Android devices. However,\r\nwithin six months the malicious actors added the capability to infect iOS devices. DualToy is still active and we\r\nhave detected over 8,000 unique samples belonging to this Trojan family to date. It mainly targets Chinese users,\r\nbut has also successfully affected people and organizations in the United States, United Kingdom, Thailand,\r\nSpain, and Ireland.\r\nIn addition to found in traditional Windows PC malware such as process injection, modifying browser settings,\r\ndisplaying advertisements et al, DualToy also performs the following activities on Android and iOS devices:\r\nDownloads and installs Android Debug Bridge (ADB) and iTunes drivers for Windows\r\nUses existing pairing/authorization records on infected PCs to interact with Android and/or iOS devices via\r\nUSB cable\r\nDownloads Android apps and installs them on any connected Android devices in the background, where\r\nthe apps are mostly Riskware or Adware\r\nCopies native code to a connected Android device and directly executes it, and activates another custom to\r\nobtain root privilege and to download and install more Android apps in the background\r\nSteals connected iOS device’s information including IMEI, IMSI, ICCID, serial number and phone number\r\nDownloads an iOS app and installs it to connected iOS devices in the background; the app will ask for an\r\nApple ID with password and send them to a server without user’s knowledge (just like AceDeceiver)\r\nhttps://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/\r\nPage 1 of 12\n\nSeveral years ago, Android and iOS began requiring user interaction to authorize a device to pair to another device\r\nto prevent the kind of sideloading attack used by DualToy. However, DualToy assumes any physically connected\r\nmobile devices will belong to the same owner as the infected PC to which they are connected, which means the\r\npairing is likely already authorized. DualToy tries to reuse existing pairing records to directly interact with mobile\r\ndevices in the background. Although this attack vector’s capability can be further limited by additional\r\nmechanisms (e.g., ADB enabling, iOS sandbox) which make this threat not so severe, DualToy reminds us again\r\nhow attackers can use USB sideloading against mobile devices and how malware can be spread between\r\nplatforms.\r\nInfecting Android Devices\r\nAlmost all samples of DualToy are capable of infecting Android devices connected with the compromised\r\nWindows PC via USB cable. This functionality is usually implemented in a module named NewPhone.dll,\r\nDevApi.dll or app.dll.\r\nDualToy assumes ADB is enabled on the connected Android device. If ADB isn't enabled (which is the default\r\noption), the . However, some users, especially those who want to install Android apps from a PC or Mac, or who\r\nwant to do advanced operations with their Android devices, This is because ADB is both the only official interface\r\nfor a Windows or Mac computer to operate an Android device via USB and it is a debugging interface.\r\nInstall ADB drivers\r\nOnce loaded, the module will first download universal Windows ADB drivers from its C2 server (e.g., from\r\nhttp[:]//www.zaccl.com/tool/new_tool.zip) and install them.\r\nFigure 1 Windows ADB driver files downloaded from the  C2 server\r\nThen, some variants will directly drop a file named adb.exe which is the standard ADB Windows client. Other\r\nvariants have compiled the ADB client’s source code into the module so that they could also perform ADB\r\noperations. Instead of adb.exe, the newest variant will drop tadb.exe, a customized ADB client from Tencent’s\r\nAndroid management software.\r\nhttps://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/\r\nPage 2 of 12\n\nNote that since version 4.2 (released in early 2013), Android requires a user’s manual confirmation to authorize a\r\nPC before building an ADB session. This was designed to prevent attacks such as sideloading apps via USB.\r\nHowever, if a user has authorized his PC in the past, the related key files will be stored in the %HOME%/.android\r\ndirectory on the PC. DualToy reuses these key files to bypass the intended security check.\r\nDownload and install apps\r\nAfter the ADB environment is set up, DualToy will wait for an Android device to connect via USB. Once\r\nconnected, it will fetch a list of URLs from the C2 server, download the apps, and install them on Android device\r\nin the background via the “adb.exe install” command.\r\nFigure 2  Android app downloading URLs on the C2 server\r\nFigure 3  Apps installed on the  Android device  by DualToy\r\nFigure 3 shows the apps downloaded and installed by DualToy. They’re all games which use Chinese as the\r\ndefault language, and none of them are available in the official Google Play store.\r\nInstall and execute binary code\r\nIn a recent variant, DualToy will download a PE executable named “appdata.exe” as well as an ELF executable\r\nfile named “guardmb” from the C2 server. The appdata.exe file was compiled from ADB’s source code with some\r\ncustomizations -- DualToy will execute it with the command line “appdata.exe shell am start”. When invoked by\r\nthis command line, the appdata.exe copies the guardmb file to connected Android device’s /data/local/tmp\r\ndirectory, and executes it.\r\nhttps://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/\r\nPage 3 of 12\n\nFigure 4  appdata.exe executes guardmb on the Android device\r\nFigure 5  guardmb starts a specific service on the Android device\r\nThe guardmb file is an ELF executable for ARM architecture. Its functionality is simple – execute Android’s\r\nsystem command “am” to start the service “com.home.micorsoft.service.BootWakeService”. Guardmb also\r\nspecified the same service was implemented in a third party app with package name of “com.home.micorsoft”.\r\nDuring the analysis, we weren't able to find the “com.home.micorsoft” app. However, we discovered another\r\nAndroid app with a similar package name “com.mgr.micorsoft”. Due to the same typo (“micorsoft”) and same\r\nbinary code fingerprints, we believe these two apps have the same sources and likely have identical\r\nfunctionalities.\r\nThe app embedded a modified SU daemon program which was re-compiled from SuperSU project’s source code.\r\nWe named this specific Android Trojan “RootAngel”. After the service is started by guardmb, and install the SU\r\ndaemon. It will also connect with its C2 server, download more Android apps and install them in background\r\nthrough “pm install” command.\r\nhttps://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/\r\nPage 4 of 12\n\nFigure 6  RootAngel installs Android apps downloaded from the C2 server\r\nInfecting iOS Devices\r\nWe observed the first sample of DualToy capable of infecting iOS devices on June 7, 2015 (SHA-256:\r\nf2efc145d7d49b023d97a5857ad144dd03a491b85887312ef401a82b87fb1b84). Later in 2016, a new variant\r\nappeared. Our analysis below focuses primarily on the first variant.\r\nDuring execution, the sample will drop some PE and .ini files. Among them, insapp.dll is the module used to\r\ninfect an iOS device. It was developed using Delphi and C++ and then packed with a standard UPX packer.\r\nThere’s another file, insapp.ini, which contains configurations including URLs to download iTunes drivers as well\r\nas iOS apps to install.\r\nDownload and install iTunes\r\nAfter being loaded, the insapp.dll will check whether iTunes is installed on the infected computer. If not, it will\r\ndownload two MSI format installers from its C2 server. For example, for a 64-bit Windows PC,\r\n“AppleMobileDeviceSupport64.msi” and “AppleApplicationSupport64.msi” will be downloaded. These two\r\ninstallers are part of Apple’s official iTunes for Windows software that contains all necessary driver files that\r\niTunes uses to interact with iOS devices.\r\nAfter that, DualToy will execute “msiexec.exe” to install the installers shown in Figure 8 in background via the\r\n“/qn” parameter.\r\nFigure 7  The config file specifies URLs of the iTunes installer and iOS app(s)\r\nhttps://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/\r\nPage 5 of 12\n\nFigure 8  DualToy install iTunes installers via msiexec.exe\r\nOperate iOS devices\r\nIn order to operate iOS devices through installed iTunes drivers, DualToy reused an open source project\r\n“iphonetunnel-usbmuxconnectbyport”. Using this, DualToy invokes APIs in iTunes’ iTunesMobileDevice.dll file\r\nvia reflection, so that it can interact with iOS devices just like iTunes does.\r\nFigure 9  DualToy reflects symbols from iTunesMobileDevice.dll\r\nDualToy will watch for USB connections. Once there’s a valid iOS device connected, it will try to connect to it\r\nusing iTunes APIs. Like Android, Apple also introduced manual user authorization starting with iOS 7 to prevent\r\nsideloading. As it does with Android devices, DualToy will check whether the iOS device was previously paired\r\nso that it can reuse existing pairing record (Figure 10).\r\nhttps://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/\r\nPage 6 of 12\n\nFigure 10  DualToy checks whether the device was paired by owner before\r\nSteal iOS device information\r\nAfter successfully connecting with an iOS device, DualToy will collect device and system information, encrypt\r\nthem and send to its C2 server. The collected information includes:\r\nDevice name, type, version and model number\r\nDevice UUID and serial number\r\nDevice baseband version, system build version, and firmware version\r\nDevice IMEI\r\nSIM card’s IMSI and ICCID\r\nPhone number\r\nFigure 11   DualToy collects iOS device information\r\nDownload and install app\r\nIn addition to collecting device information, DualToy also tries to download IPA file(s) from the C2 server and\r\ninstall them on the connected iOS device. The URL it used to fetch the downloading list is\r\nhttp://www.zaccl[.]com/tool/apple/wj_app.xml. During our analysis in April and in August 2016, this URL always\r\nhttps://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/\r\nPage 7 of 12\n\nreturned a single file, “kuaiyong.ipa”. After downloading it, DualToy will copy the IPA file via the AFC service to\r\nthe iOS device’s /var/mobile/Media/PublicStaging directory, and then install it via the installation_proxy service.\r\nFigure 12   DualToy fetch iOS app downloading URLs\r\nFigure 13  Install iOS app via iTunes API\r\nThe downloaded kuaiyong.ipa has an obfuscated bundle ID of\r\n“pWsbshWBn5XN9kk0twBUECAVt2E.dsE7UfuXZdinV60edM4u1Ul0d6hSf66akdZrmp”. It was signed by an\r\nenterprise certificate issued to “Ningbo Pharmaceutical Co., Ltd.” The certificate the app won’t be successfully\r\ninstalled on iOS devices anymore. However, the attacker could easily change the URL list replied by C2 server to\r\npush other apps.\r\nhttps://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/\r\nPage 8 of 12\n\nFigure 14  The iOS app was signed by enterprise certificate\r\nAceDeceiver-like behavior\r\nSince the kuaiyong.ipa has an expired certificate, we resigned it with a personal development certificate and then\r\ninstalled it on our testing device.\r\nThe app is yet another third party iOS App Store just like “ZergHelper”. It also has exactly the same behavior as\r\nAceDeceiver. When launched for the first time, the app will ask the user to input his or her Apple ID and password\r\n(Figure 15). The nearby disclaimer says the credentials won’t be uploaded to any server. However, through our\r\nreverse engineering and debugging, we discovered the Apple ID and password will be encrypted by DES\r\nalgorithm by a fixed key of “HBSMY4yF” and 4 of “\\x12\\x34\\x56\\x78\\x90\\xab\\xcd\\xef”, and sent to the server\r\nproxy.mysjzs[.]com after encoding the ciphertext with Base64. Figure 16 shows the output by hooking the\r\nCCCrypt function with Frida. And Figure 17 shows the credentials being uploaded to the server.\r\nNote that, since the C2 traffic was HTTP instead of HTTPS, and the credential payload was just encrypted by DES\r\nwith a fixed key, an attacker could sniff network traffic to capture the payload and steal the Apple ID and\r\npassword in the payload.\r\nhttps://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/\r\nPage 9 of 12\n\nFigure 15  Kuaiyong.ipa asks user to input Apple ID and password\r\nFigure 16  Apple ID username and password was encrypted with DES\r\nhttps://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/\r\nPage 10 of 12\n\nFigure 17  Encrypted Apple ID and password was sent to a server\r\nMitigation\r\nPalo Alto Networks WildFire has successfully . URL Filtering has also blocked its C2 traffic so that it can’t\r\ndownload drivers, malicious payloads or apps. We have also created an AutoFocus tag to identify known DualToy\r\nsamples.\r\nTo prevent similar attacks, we suggest users and organizations deploy both endpoint and network-based malware\r\nprevention solutions. We also suggest users avoid connecting their mobile phones to untrusted devices via USB.\r\nThe popularity and ubiquitous nature of mobile devices ensures malicious attackers will only continue to refine\r\nand develop new mobile malware, which means users and organizations will need to employ similar levels of\r\nprotection and user awareness historically provided to desktops, laptops, and networks.\r\nAcknowledgements\r\nWe would like to thanks Zhi Xu and Josh Grunzweig from Palo Alto Networks for their assistance during the\r\nanalysis.\r\nAppendix\r\nSHA-256 of selected samples\r\nb028137e54b46092c5349e0d253144e2ca437eaa2e4d827b045182ca8974ed33  jkting.zip\r\nbbe5fcd2f748bb69c3a186c1515800c23a5822567c276af37585dab901bf550c  new5.zip\r\n26ff76206d151ce66097df58ae93e78b035b3818c24910a08067896e92d382de  NewPhone.dll\r\n24c79edc650247022878ddec74b13cf1dc59a6e26316b25054d015bdc2b7efc7  new_tool.zip\r\ncd432a8a0938902ea3016dae1e60c0a55016fd3c7741536cc9f57e0166d2b1b8  appdata.exe\r\n42290cefc312b5f1e4b09d1658232838b72d2dab5ece20ebf29f4d0d66a7879a  guardmb\r\n7f7a3ed87c63bd46eb8b91a5bb36b399b4eebaf7d01342c13ef695340b9964a6  Mgr_700003.apk\r\n9f84665a891e8d9d3af76b44c1965eba605f84768841dfb748cb05ec119ffd9d  phonedata.exe\r\nc8695fe9decbeedfe1f898464b6aa9da511045721c399486d00b889d888c8121  zWDLzv.dll\r\nf2efc145d7d49b023d97a5857ad144dd03a491b85887312ef401a82b87fb1b84\r\nc32c64196bb4e038657c3003586563407b5a36db74afb837a5b72f71cf1fadf1  DevApi.dll\r\ndee13984156d1b59395126fcac09f407ef7c7d7308643019ccee6e22683ea108  insapp.dll\r\neae9fda5ca026d2cc0fbdd6f6300d77867dae95a5c1ab45efdb4959684f188d2  insapp.ini\r\nhttps://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/\r\nPage 11 of 12\n\n899e3c72e2edf720e5d0f3b0dfbf1e2dcc616277c11cf592ab267a9fa0bfbac9  kuaiyong.ipa\r\nc8695fe9decbeedfe1f898464b6aa9da511045721c399486d00b889d888c8121\r\nC2 Domains\r\nwww.zaccl[.]com\r\npack.1e5[.]com\r\nrsys.topfreeweb[.]net\r\nabc.yuedea[.]com\r\nreport.boxlist[.]info\r\ntt.51wanyx[.]net\r\nhk.pk2012.info\r\ncenter.oldlist[.]info\r\nup.top258[.]cn\r\ndl.dswzd[.]com\r\nSource: https://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/\r\nhttps://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE" ], "references": [ "https://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/" ], "report_names": [ "dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices" ], "threat_actors": [], "ts_created_at": 1775434204, "ts_updated_at": 1775791246, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1743fa07791ddc4ec5f1872d411df30ff9a648c0.pdf", "text": "https://archive.orkl.eu/1743fa07791ddc4ec5f1872d411df30ff9a648c0.txt", "img": "https://archive.orkl.eu/1743fa07791ddc4ec5f1872d411df30ff9a648c0.jpg" } }