Researchers are scratching their heads over the mystery where 132 Android apps in the official Google Play store attempted to infect smartphones with Windows malware.
The apps, which were generated by seven different developers, mostly contained carefully concealed HTML-based iframe tags that connected to two heavily suspicious malicious domains. In one of the cases, an app didn’t use iframes but rather used Microsoft’s Visual Basic language to inject an entire obfuscated Windows.exe file embedded into the HTML. The apps were equipped with two capabilities. One was to insert interstitial ads, while the other was to fixate the main app. That consisted of a lot of work considering that the Windows-based malware was unable to execute on an Android device. On top of that, the two domains in the iframes—brenz.pl and chura.pl—were seized by the polish security authorities in 2013.
Researchers from Palo Alto Networks—the security firm that discovered the 132 Android apps and reported them to Google so they could be removed—believe the developers didn’t intentionally include the malicious domains and executable. Instead, the researchers suspect that the developers unknowingly used the same infected programming platform to code the apps. The dormant domains and the focus on Windows-based malware prevented the apps from posing a threat to the more than 10,000 people who installed the apps.
“Through this vector, all resources within the app would be available to the attackers and under their control,” the researchers wrote. “They could also operate silently to replace the developer’s designated server with their own, and as a result, whatever information that was sent to the developer’s server now falls in the hands of the attacker. Advanced attackers can also directly modify the app’s internal logic, i.e., adding rooting utility, declaring additional permissions, or dropping malicious APK file, to escalate their capabilities.”