A few months ago, users of Xunlei, a highly popular download manager developed by China-based Xunlei Networking Technologies, started complaining after identifying a suspicious piece of software signed with one of the company’s digital certificates.
ESET researchers have analyzed the malicious software and dubbed it Win32/Kankan. According to the experts, the application had been distributed as a file called INPEnhSetup.exe.
Once installed on a system, several files are dropped. These represent a bogus Microsoft Office plugin that’s designed to make sure the program remains persistent on the system.
This plugin also downloads several Android applications that are installed on Android devices connected to the infected computer via USB.
“According to our analysis, all these applications provide real features to the user. Three of them are Android markets, which allow the user to download various applications onto his phone. We were not able to find any clearly malicious features in these applications. It is still worth noticing, though, that their code is heavily obfuscated,” ESET’s Joan Calvet noted.
One of the apps is still present on Google Play. ESET detects it as a potentially unsafe application dubbed “Android/SMSreg.BT.”
“Overall, the motivation behind the installation of these particular mobile applications remains unknown,” Calvet added.
So how did these shady applications become bundled with Xunlei, which was named the most commonly used BitTorrent client in the world in 2010?
According to Xunlei Networking Technologies, some employees used company resources to create and distribute the program. They allegedly worked in a subdivision and didn’t have the company’s permission.
Those responsible have been allegedly fired. Furthermore, an uninstaller has been made available by the Chinese company.
ESET has confirmed that the number of Win32/Kankan detections has since decreased considerably. China is the only country affected.