Android Password Recovery Tool Can Hack PCs
CREDIT: Eric Milos/Shutterstock.com/Google/Creative Commons. Image composite by TechNewsDaily.
USB Cleaver is an Android tool that can silently extract every relevant username and password from a Windows PC, but whether this makes it malware or a useful tool largely depends on your point of view.
The app first came out in May 2012, but only caught mainstream attention recently. Finnish security company F-Secure's blog recounts how its researchers discovered USB Cleaver on a Chinese forum. Users were discussing how the program could be used to compromise a Windows machine.
Julian Evans, a U.K.-based security expert, makes no bones about what the app does. "This app is designed to capture browser passwords from Firefox, Chrome and Internet Explorer, a PC Wi-Fi password, network data (IP addresses), [networking] secrets and more," he wrote on his blog.
However, Evans also asserts that USB Cleaver is meant for password recovery, not hacking. The app requires user permissions on Android in order to run, although permissions on the Windows end will vary. While Windows 7 and 8 have Autorun disabled by default, systems winding back to Windows 2000 may or may not allow it. (Users still running Windows ME and older OSes have bigger security risks than USB Cleaver.)
Symantec, a prominent security company based in Mountain View, Calif., takes a fairly dim view of USB Cleaver. According to its threat assessments, USB Cleaver counts as a Trojan, albeit a very low-risk one.
It's difficult to say which entity is correct. USB Cleaver has both good and evil applications, like many security programs. A law-abiding user could use it to make an extremely comprehensive repository for all of his or her passwords with minimal effort. A criminal could steal every piece of financial data on a secure system and leave the computer otherwise unharmed.
If USB Cleaver is indeed meant as a hacking tool, it's a very inefficient one. Even though the program is robust, it still only works on one computer at a time, and requires direct, physical access. While this could cause a lot of trouble with, say, a disgruntled employee in an office building, targeting random home computers would be impractical. [See also: 10 Things You Didn't Know Could Be Hacked]
Unfortunately, if someone has his sights set on your computer with USB Cleaver, there's not a whole lot you can do to stop him. The program requires Autorun to be enabled on Windows (it's disabled by default, at least on newer systems), but anyone cunning enough to use USB Cleaver will also know how to turn Autorun back on.
Your best defense is to ensure that only administrator accounts can enable or disable Autorun and devise a very strong password.
Evans disagrees that the program is inherently harmful, but urges users to decide for themselves. "I suggest you visit [Symantec's] page, so you can make up your mind as to whether you need to install this app," he wrote.