Malicious Android apps infected with Windows keyloggers pulled from Google Play
Security researchers from Palo Alto Networks said this week that the majority of the infected apps were released to Google Play between October 2017 and November 2017, which means that many have been lurking in the app store for over six months.
Among the malicious applications were learning and drawing apps, trail bike modification idea software, and gymnastics tutorials. Several have been downloaded over 1,000 times and have achieved four-star ratings.
In total, 145 apps were deemed malicious by the team. However, unusually, the applications did not contain malicious code intended for the Android mobile operating system.
Instead, they contained malicious Microsoft Windows executable files.
This means that the apps are no threat to Android devices -- despite them being available for download in a repository of apps designed for that particular operating system. The code is "inert and ineffective on the Android platform," according to Palo Alto, and will instead only run on Windows systems.
The reasoning behind Android apps being laden with Windows malware is unclear, however, it may be that the developer is creating APK files on a Windows system which has been compromised.
"This type of infection is a threat to the software supply chain, as compromising software developers has proven to be an effective tactic for wide-scale attacks," the researchers say. "Interestingly, we saw a mixture of infected and non-infected apps from the same developers. We believe the reason might be that developers used different development environment for different apps."
Of particular interest was one PE file which was present in all but three of the malicious apps found in Google Play. This particular file was a keylogger designed for Windows machines.
Additional malicious PE files contained code to hide files in Windows system folders, tamper with the Windows registry, and reach out to connect to suspicious IP addresses.
The average user is unlikely to be affected by these applications as the Android operating system is immune. However, if the malicious APK files were unpacked on a Windows machine and executed, it would be a different story.
"The development environment is a critical part of the software development life cycle," Palo Alto says. "We should always try to secure it first. Otherwise, other security countermeasures could just be attempts in vain."
The findings were reported to Google and the infected apps were quickly pulled from the Play Store.
Source: https://www.zdnet.com