Windows malware infected 132 Android apps on Google Play Store

Ultimately, Google would classify this as a "non-Android threat" - terminology for applications that are unable to harm a user's device, but are potentially damaging to other platforms.

These infected apps only require permission by the user to use the internet which is kind of default for any apps and users don't usually set to security parameters for that on their phone.

This EXE file and the fact that some iframes connected to four-year-old sinkholed domains convinced researchers that these apps weren't infected on objective by their developers, but the app developers were the victims of malware themselves.

Unit 42 detected 132 apps that contained the IFrames, many of them popular. Earlier than that, there was a malware called HummingBad, which affected millions of Android devices. "We believe it is most likely that the app developers' development platforms were infected with malware that searches for HTML pages and injects malicious content at the end of the HTML pages it finds".

Google's app and media repository, Play has turned 5. Most of these apps dealt with learning and offering information. The malware exploits the apps' use of Android WebView to link to unsafe HTML sites, that then attempt to install a file designed for Windows onto the device.

These 132 infected apps in question are seemingly unrelated and have been developed by seven different developers but there is a common thread among all of them - the geographical location of all seven of them are connected to Indonesia.

After analyzing the web pages, it was found that the actual HTML code revealed a tiny hidden IFrame which was linked to malicious domains. If developers were the attack [er] s behind all these, they could have replaced them with working domains to cause real damage. It suggests that the attacker does not know about the target platform. For the entire list, check out Google's official blog post.

These Windows-specific malware were downloaded from domains that have long since been disabled. The reason being, these apps attempt to install a Windows executable file, which Android devices do not support.

"One common way HTML files have been infected with malicious iframes has been through file infecting viruses like Ramnit. This not only steals revenue from app developers, but also can damage the developers' reputation".

  • Arturo Norris