Palo Alto researchers just discovered 123 Android apps located on Google Play that tried to infect users with… Windows malware. The apps were infected with “tiny hidden Iframes that link to malicious domains in their local HTML pages”. The most popular of the apps had over 10,000 installations.
The researchers believe that the developers of the corrupted apps are not at fault but are most probably victims themselves, explaining that:
We believe it is most likely that the app developers’ development platforms were infected with malware that searches for HTML pages and injects malicious content at the end of the HTML pages it finds. If this is this case, this is another situation where mobile malware originated from infected development platforms without developers’ awareness. We have reported our findings to Google Security Team and all infected apps have been removed from Google Play.
Apps for Design Ideas Attempt to Infect Android Users with Windows Executable Files
What were the apps for? Apps for design ideas including topics like gardening, culinary, and home design were compromised, highly likely without the knowledge of their developers. The researchers were able to distinguish one thing that all the apps had in common – Android WebView which serves to display static HTML pages.
Related: The Security of Android 7 Nougat
A deeper analysis of the pages led to the conclusion that the actual HTML code showed a very small, concealed Iframe that linked to popular malicious domains. Even though those domains were not active during the time of the investigation the relevance of the incident shouldn’t be underestimated.
Other than the overall risk of the situation, there is something else that the researchers felt needed attention. One of the observed infected ages also attempted to download and run a malicious Microsoft Windows exe file at the precise time of the page loading. Logically, it wouldn’t execute as the device was not running the Windows operating system but Android.
This behavior fits well in the Non-Android Threat category recently released by the Google Android Security. According to the classification, Non-Android Threat refers to apps that are unable to cause harm to the user or Android device, but contains components that are potentially harmful to other platforms.
Fortunately, the fact the attackers tried to employ a Windows executable to infect Android users makes the threat tenuous.