145 Windows-malware loaded Play Store Apps, deleted by Google
Google, upon the advice of Palo Alto Networks from last week, has deleted 145 apps in its Google Play Store which were proven harboring malicious Windows-based malware. The apps were originally published in the Play Store from Oct 2017 to Nov 2017, enough time for many of the infected apps to record thousands of downloads and decent 4-star reviews. The apps themselves work as expected, as the Android runtime environment ignores the hidden Windows virus. The bundled malicious code does not harm any Android user, but just increase the installation size of the app occupying the device’s storage. The embedded malware also makes the Android device a carrier of a Windows infection, as any Android phone or table is plug&play compatible, they function similarly to a USB flash drive connected with a USB cable to a PC.
Three apps were specifically named by Palo Alto Networks in its report, Gymnastics Training Tutorial, Learn to Draw Clothing and Idea Pattern Shirt. All of them had a 4-star good rating prior to the Google take down, enough credential to grow their user base. Android has been known to be a more vulnerable mobile platform for spreading malware, given that it is the only mobile OS that allows easy side loading. But Palo Alto Network’s discovery is the first time that a mobile app has a built-in malware not designed for the mobile device, but for a Windows PC.
The only time that the malware will infect a Windows PC is if the Android device gets plugged-in as a USB storage. Plus the user needs to deliberately execute the infected file, which is highly unlikely to happen. When viewed using Windows Explorer, the infected files show bearing a .exe extension, samples of which are: Android.exe, my music.exe, COPY_DOKKEP.exe, js.exe, gallery.exe, images.exe, msn.exe and css.exe.
“Infected APKs are not a threat to Android smartphones. The malware can only work on a computer that runs on Windows. Most of the infected apps were on Google Play between October 2017 and November 2017. We reported the problem to the Google security team and all infected apps were removed from the Play Store,” Palo Alto representative emphasized.
Palo Alto Networks from their point-of-view believes that the infection of the 145 Android apps was probably just an accident. There is a possibility that the Windows PCs used by their respective developers were already infected, without their knowledge. And the infection just penetrated their Android development environment and its finished product, the files, which is the standard Android package format accepted for publishing in Google Play Store.
“This type of infection is a threat to the software supply chain, as compromising software developers has proven to be an effective tactic for wide-scale attacks. Interestingly, we saw a mixture of infected and non-infected apps from the same developers. We believe the reason might be that developers used different development environment for different apps. The development environment is a critical part of the software development lifecycle. We should always try to secure it first. Otherwise, other security countermeasures could just be attempts in vain,” Palo Alto Networks explained.
Android developers are advised to keep their Android development environment and computers free from any Windows malware infection.
Kevin Jones951 Posts
Kevin Jones, Ph.D., is a research associate and a Cyber Security Author with experience in Penetration Testing, Vulnerability Assessments, Monitoring solutions, Surveillance and Offensive technologies etc. Currently, he is a freelance writer on latest security news and other happenings. He has authored numerous articles and exploits which can be found on popular sites like hackercombat.com and others.