14 DAY TRIAL // For some reason or another, 132 Android apps found in the official Google Play marketplace are attempting to infect users with Windows malware.
This is a rather head-scratching moment, because the two don't really mix. Made by seven different developers, the apps contain tiny hidden IFrames that link to malicious domains in their local HTML pages.
According to researchers from security firm Palo Alto Networks, it seems that the developers are actually innocent in this case, or, at the very least, can't be blamed. They believe that it is most likely that the app's developers' developmental platforms were infected with malware that searches for HTML pages and injects malicious content at the end of the HTML pages it finds.
"If this is this case, this is another situation where mobile malware originated from infected development platforms without developers' awareness," they write.
The findings were reported to Google and the 132 apps have since been removed from Google Play. The app list included design ideas for sweets, gardening and coffee tables and it seems that the most popular one had some 10,000 downloads.
All the apps have one thing in common - they employ Android WebView to display static HTML pages. While it seems that these pages don't do anything more than load locally stored pictures, a deeper look at the code reveals a hidden IFrame linking to malicious domains.
One of the infected pages also attempts to download and install a malicious Microsoft Windows executable file, but since we're talking about an Android device, the file won't actually execute.
Developers seem to be victims
The researchers further speculate that the infection of so many apps has something to do with the fact that the developers all come from somewhere around Indonesia.
"One common way HTML files have been infected with malicious IFrames has been through file infecting viruses like Ramnit. After infecting a Windows host, these viruses search the hard drive for HTML files and append IFrames to each document. If a developer was infected with one of these viruses, their app’s HTML files could be infected. However, given that the developers may all be Indonesia [sic], it’s also possible they may have downloaded an infected [integrated developer environment] from the same hosting website or they used the same infected online app generation platform," they write.
By the end of the analysis, the researchers name the developers as "victims."
Thankfully, however, the damage is nonexistent. The infected apps will not cause damage to Android users.