An investigation executed by researchers from Palo Alto Networks revealed that Google removed more than 145 apps from official Google Play because they have carried Windows malware inside.
The apps were uploaded to the Google Play between October and November 2017. This means that for long months android users were exposed to cyber attacks. Notice that many apps were downloaded thousands of times and rated with 4 stars.
The code embedded in the Android APKs was specially developed to attacks Windows systems and leverage Android users as an attack vector.
“Notably, the infected APK files do not pose any threat to Android devices, as these embedded Windows executable binaries can only run on Windows systems: they are inert and ineffective on the Android platform.” reads the analysis published by Palo Alto networks.
“The fact that these APK files are infected indicates that the developers are creating the software on compromised Windows systems that are infected with malware. This type of infection is a threat to the software supply chain, as compromising software developers has proven to be an effective tactic for wide scale attacks.”
According to Palo Alto, when the PE files are executed in Windows system can perform the following activities:
- Creates executable and hidden files in Windows system folders, including copying itself
- Changes Windows registry to auto-start themselves after restarting
- Attempts to sleep for a long period
- Has suspicious network connection activities to IP address 22.214.171.124 via port 8829
The researchers said that one of the malware was included in 142 apps. A second malicious code was found in 21 apps, and 15 apps have contained both PE files embedded. Only in one case, the PE file included in the apps was a keylogger.
“After investigating all those malicious PE files, we found that there is one PE file which infects most of the Android apps, and the malicious activity of that PE file is key logging.” continues the analysis.
“On a Windows system, this key logger attempts to log keystrokes, which can include sensitive information like credit card numbers, social security numbers and passwords.”
Hackers build the PE files using fake names that look like legitimate, e.g., Android.exe, my music.exe, COPY_DOKKEP.exe, js.exe, gallery.exe, images.exe, msn.exe and css.exe.
“The malicious PE files cannot directly run on the Android hosts. However, if the APK file is unpacked on a Windows machine and the PE files are accidentally executed, or the developers also issue Windows-based software, or if the developers are infected with malicious files runnable on Android platforms, the situation will go much worse.” concludes Palo Alto Networks.
“The development environment is a critical part of the software development life cycle. We should always try to secure it first. Otherwise other security countermeasures could just be attempts in vain,”
Following is presented a table that depicts the infected apps:
Pedro Tavares is a professional in the field of information security working as an Ethical Hacker/Pentester, Malware Researcher and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.
In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, exploitation, hacking, IoT and security in Active Directory networks. He is also Freelance Writer (Infosec. Resources Institute and Cyber Defense Magazine) and developer of the 0xSI_f33d – a feed that compiles phishing and malware campaigns targeting Portuguese citizens.
Read more here.