Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Threat Management, Threat Management, Malware, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

132 Google Play apps found containing malicious iframes

Researchers with Palo Alto Networks today reported finding 132 Android apps on Google Play whose HTML code was injected with hidden, malicious iframes, likely due to malware infecting a development platform used by the apps' creators.

The iframes link to a pair of domains, but fortunately, they are both inactive, having been taken over and sinkholed in 2013 by the Polish CERT, Palo Alto explained in a blog post.

Interestingly, there was one infected app whose code even contained VBScript with an encoded Windows executable. Although the executable is designed to modify the network host's file, alter firewall settings, and inject code into other processes, this malicious program is rendered innocuous by Android devices, since it is designed to infect only the Windows OS. "We believe this is an instance where malware that targeted Windows altered HTML pages that eventually were used on Android," a Palo Alto spokesperson told SC Media via its Unit 42 threat research team.

The affected apps come from seven different developers, all of which are based in Indonesia. They also all use Android WebView to render and display static HTML pages. Apps include various design programs focusing on subjects like knitting, gardening and furniture. One of them was installed by more than 10,000 users, Palo Alto noted, before Google removed the 132 apps from its store.

SC Media contacted Google, which confirmed Palo Alto's account.

Assuming it was the apps' development platform that was initially infected, the researchers' findings "represent a novel way for platforms to be a 'carrier' for malware: not be infected themselves but spread the malware to other platforms without realizing it," Palo Alto asserted in its blog post.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.