While it’s pretty rare that you’ll come across malware on Android, sometimes it slips through the cracks and presents a threat. Recently, though, a security firm made an interesting discovery ─ 132 apps on Google Play had been secretly hiding the capability to infect user devices with malware. Specifically, malware designed for Windows…

Palo Alto Networks explains that these 132 apps came from several different developers, but mostly contained the same carefully concealed IFrame tags which connected the app and thereby the device to a couple of very obscure, but malicious domains. In one case, the app used Microsoft’s Visual Basic language to load up the entire piece of malicious code directly into the app.

The purpose of all of this was to load interstitial ads and to load up the main malicious applications. It’s all pretty complicated work, so it’s interesting to see that, at the end of the day, none of it can actually do anything. Windows-based malware is totally incapable of executing on an Android OS. Further, two of the domains used, brenz.pl and chura.pl, were actually taken down by Polish security nearly 4 years ago.

What was the purpose then? Palo Alto Networks has a theory: perhaps these developers simply ended up using the same code without knowing it was malicious. The firm explains:

The 132 infected apps we discovered belong to seven different, unrelated developers. There is a geographical connection among the seven different developers: all seven have connections to Indonesia. The most straightforward clue comes from the app name. A significant number of discovered samples have the word “Indonesia” in their names. Moreover, one developer’s website links to a personal blog page written in Indonesian. The clearest pointer, though, is one developer’s certificate clearly states the state to be Indonesia.

One common way HTML files have been infected with malicious IFrames has been through file infecting viruses like Ramnit. After infecting a Windows host, these viruses search the hard drive for HTML files and append IFrames to each document. If a developer was infected with one of these viruses, their app’s HTML files could be infected. However, given that the developers may all be Indonesia, it’s also possible they may have downloaded an infected IDE from the same hosting website or they used the same infected online app generation platform.

In either case, we believe the developers are not malicious and are victims in this attack. There are a few other pieces of supporting evidences from our investigation:

  • All samples share similarities in their coding structure, suggesting that they may be generated from the same platform;
  • Both malicious domains used resolve to sinkholes. If developers were the attacks behind all these, they could have replaced them with working domains to cause real damage;
  • One infected sample attempts to download windows executable file. It suggests that, the attacker does not know about the target platform. Clearly, this is not the case for app developers.

Regardless if this was an intentional move or not, the apps won’t cause any issues on your Android device if you are using them. You can learn more about the issue, including some of the infected apps, in Palo Alto’s full blog post.