Researchers with Palo Alto Networks today reported finding 132 Android apps on Google Play whose HTML code was injected with hidden, malicious iframes, likely due to malware infecting a development platform used by the apps’ creators.
The iframes link to a pair of domains, but fortunately, they are both inactive, having been taken over and sinkholed in 2013 by the Polish CERT, Palo Alto explained in a blog post.
Interestingly, there was one infected app whose code even contained VBScript with an encoded Windows executable. Although the executable is designed to modify the network host’s file, alter firewall settings, and inject code into other processes, this malicious program is rendered innocuous by Android devices, since it is designed to infect only the Windows OS. “We believe this is an instance where malware that targeted Windows altered HTML pages that eventually were used on Android,” a Palo Alto spokesperson told SC Media via its Unit 42 threat research team.
The affected apps come from seven different developers, all of which are based in Indonesia. They also all use Android WebView to render and display static HTML pages. Apps include various design programs focusing on subjects like knitting, gardening and furniture. One of them was installed by more than 10,000 users, Palo Alto noted, before Google removed the 132 apps from its store.
SC Media contacted Google, which confirmed Palo Alto’s account.
Assuming it was the apps’ development platform that was initially infected, the researchers’ findings “represent a novel way for platforms to be a ‘carrier’ for malware: not be infected themselves but spread the malware to other platforms without realizing it,” Palo Alto asserted in its blog post.