It has been reported that more than 130 Android apps contain malicious coding, which might be the result of developers using infected computers as per researchers.
These apps were found generating hidden iframes or HTML documents embedded inside a web page, which in turn links to two domains that are hosting malware.
As of this writing, the apps have been removed from the Google Play store. The developers of the apps might not be at fault for including the malicious code.
In fact, there is a high probability that the platform that the app developers are using to build them were most likely infected with malware that looks for HTML pages and injects the malicious coding.
For all we know, the tainted apps offered design ideas for doing everyday things like making cakes, gardening or something crafts and hobbies related. Surprising enough, the most popular app among those infected had been downloaded for more than 10,000 times.
Once installed, the apps would display seemingly benign web pages. On the contrary, the said pages may contain a small hidden iframe code that links to two malicious domains.
The two domains were previously tagged as involved with hosting Windows malware. It has been verified by a Polish security team who took down the domains last 2013, yet still, Google still has them on the list of websites that are marked dangerous to visit.
Although the domains in questions have been neutralized, it is unclear why the apps are still linking to them. Palo Alto Networks also came across one peculiar app sample that didn’t contain the problematic iframes, but instead a Microsoft Visual Basic script used for Windows.
The said coded script will not affect the Android user and it is quite odd why it has been included with the app. This fact leads the researchers to believe that the developer’s machine they used during app development has been infected with malware.
Some malware, such as the Window-based Ramnit, have been known to search for files on a computer and inject them with malicious coding, Palo Alto Networks said. “After infecting a Windows host, these viruses search the hard drive for HTML files and append iFrames to each document,” the company said.
The bottom line is, if the developer’s computer is infected by one of these viruses, their Android apps being developed which includes HTML files could be infected also.
They have been analyzing possible scenarios and one of which is the possibility that the app developers might have downloaded developer tools that have been injected with the malicious code prior to downloading and installing on their computers.
Malicious domains although defunct do not pose much of a threat and the tampered code might just be circumstantial in nature.
Viruses released in the wild might still be lurking in the internet for years and in this instance, the malicious domains have already been taken down and will still be around for quite some time before totally eradicated.
Other variants can infect files and spread via USB and shared drives leaving some cracks where they can fall and remain hidden for some time.
The malware that wrote the iframe to these files was might have been released before the domains were taken offline.
Things can go a different route since some other malware developer might try to replicate the attack and wreck havoc using the same technique. After all, there is already a modeled framework they can use as a guide. One of the possible moves things they might do is secretly infecting developer apps to steal users’ information or drop other strains of malware.
We all know that if there has been a successful attack or mode of spreading, people can capitalize on the said concept and making it more potent than ever.
It has been confirmed that the 132 apps come from seven different parties. However, it seems to appear to all have ties with Indonesia somehow.
