Even adult toys want your personal information: don’t plug them into a USB


Hackers are always trying new methods to deliver information stealers that extract information about crypto wallets and credentials. One user found that a newly bought sex toy was infected with malware after trying to charge it from a computer.

The user shared their story on Reddit: “Bought a small vibrator from the mall. It’s got a cap you remove and a USB port to charge, so it’s literally a vibrator flash drive. Plugged it into my computer to charge without any thought. Opened my web browser, and a file was instantly downloaded without opening any webpages, Malwarebytes has flagged it as malware and stopped the download.”

It turns out that this actually happened, and the sex toy, called “Spencer’s Sexology Pussy Power 8-Function Rechargeable Bullet Vibrator,” tried to infect the computer with an information stealer known as Lumma, Malwarebytes confirmed.

ADVERTISEMENT

Lumma is a subscription-based malware, and cybercriminals pay for access to it. This infostealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions before ultimately stealing sensitive information from the device. It has also incorporated new methods to compromise Google accounts.

“The customer was kind enough to provide us with the content of the flash drive. On it were a host of XML files and a Microsoft Software Installer file (Mia_Khalifa 18+.msi),” Malwarebytes Labs report reads.

The files were intended to crash the web application, likely designed to draw the victim’s attention away while the actual malware is installed.

lumma-infected-usb-device

After analyzing the payload, the security company found a heavily obfuscated executable that turned out to be a Trojan. Malwarebytes software on the user’s device detected it as Trojan.Crypt.MSIL, a generic detection name.

The dropped executable delivered a combination of the Lumma Stealer and an additional .NET dll library.

“The question that remains is, how did the vibrator get infected? The victim bought the vibrator at Spencer’s, so we reached out to the company in an attempt to get to the bottom of this. Spencer’s acknowledged that it was aware of the problem, but the team investigating the issue was unable to provide further information at this point,” Malwarebytes Labs report reads.

Recommendation: do not charge it on the computer

ADVERTISEMENT

Malwarebytes recommends that users don’t connect USB devices to computers for charging. Any untrusted devices should be treated as “the lost USB stick in the parking lot.”

“If you use a good old-fashioned AC plug socket, then no data transfer can take place while you charge,” the report reads. “If you still want the option to connect via USB, USB condoms or “juice-jack defenders” as they are sometimes called, will prevent accidental data exchange when your device is plugged into another device with a USB cable.”

Using security software adds another layer of protection, as the user, in this case, was protected by Malwarebytes Premium.