Android apps have always remained an easy target of exploitation primarily because of the high number of Android users across the globe.
According to security experts, all 132 apps contained a tiny iframe inside the source code of HTML pages showed at some point or another to their users.
This iframe attempted to connect to remote servers and download another payload. All the remote servers were down when researchers came across the infected apps, but servers were known hotspots for malicious activity, being involved in many Windows malware distribution campaigns.
In fact, CERT Poland had sinkholed two of the domains in 2013, after a series of high-profile attacks.
One app tried to drop an EXE file on Android devices
In one isolated case, besides the iframe, the HTML source code also contained a VBScript that attempted to drop a Base64 encoded Windows executable on the user’s phone.
Obviously, this file wouldn’t be able to do any harm on an Android phone because Android can’t execute EXE files.
Palo Alto Networks researchers, who discovered the infected apps, say this EXE file can modify the network hosts file, change windows firewall settings, inject code into another process, and copy itself.
It must be noted that the apps that were shortlisted by Palo Alto Networks to be infected with malware were not high-end apps but commonly downloaded apps like design ideas for landscaping a garden, creating cheesecakes, etc.
The issue to be concerned about is that some of these apps have been downloaded 10,000 times.
Google has removed the apps from its Play Store while Palo Alto Networks suggest that the developers cannot be blamed for the issue because they might not be aware of the fact that the computer they were using for development of the new app was infected with malware that searched for HTML pages only to inject them with malicious code.
After installing the malicious coding containing app, these start displaying web pages, which contain hidden iframe that create a link between the device and two suspicious domains.
These domains have already been identified to be involved in hosting Windows malware after which a Polish security company took their control in 2013 and later the domains were taken down.
Palo Alto Networks also came across an app that instead of launching the web pages containing iframes, launched an MS Visual Basic script that is used for Windows, which the team found a bit awkward since the script cannot harm Android users.
Researchers are of the opinion that the tainted 132 apps that create a link to two defunct yet malicious domains do not pose a serious threat and it seems that the tempering is a product of an accident. As the intelligence director at Palo Alto Networks, Ryan Olson stated:
“File infecting viruses can bounce around for years, even after these domains are taken offline. They also typically infect executable files and copy themselves to USB and shared drives. The malware that wrote the iframe to these files was probably released before the domains were sinkholed.”
Palo Alto Networks also revealed that seven different parties had developed apps, but all seemingly have a connection with Indonesia. Either way, the best way to protect your device from malicious apps is to keep the number of apps limited and never download any app from a third-party app store.