Even though Google s Android is the most widely used smartphone operating system globally, it has long been criticized for its numerous vulnerabilities that can lead to breach of privacy of users. The most recent case was the Gooligan malware that reportedly affected over 1 million Google accounts. Earlier than that, there was a malware called HummingBad, which affected millions of Android devices. Now, researchers have discovered a rather interesting Windows-based malware that has affected as many as 132 apps on Google Play Store. Also Read - Samsung Galaxy Chromebook Go powered by Intel Jasper Lake Celeron processor revealedAlso Read - Free COVID-19 vaccine: Today’s Google Doodle urges all to get vaccinated, wear mask
Discovered by a security firm called Palo Alto Networks, these apps were infected with tiny hidden IFrames. To make things simpler, an IFrame is an HTML document which is embedded inside another HTML document on a website. In a blog post, the security firm explains the discovery of this Windows malware. After a thorough investigation, it was discovered that the developer of these apps are not to be blamed for this Windows malware. In fact, the firm argues that during the creation of these apps, the development platforms were infected with this malware that injects malicious content to HTML pages. Note here that IFrames are used to insert content from another source, such as ads into a webpage.
Worry not, as this incident has been reported to Google Security Team and all the infected Android apps have been removed from Google Play Store. The infected Android apps were mostly about learning how to make crochet blankets, DIY phone cases, knitting pattern cases, home interior designing and more. These apps had mostly to with learning and information. It was also discovered that all these apps had something else in common, which was the usage of Android WebView to display static HTML pages. ALSO READ: HummingBad malware affects millions of Android devices; here s how to detect and remove it
After analyzing the web pages, it was found that the actual HTML code revealed a tiny hidden IFrame which was linked to malicious domains. The investigation also found that most of the infected apps were traced to a common geographical location but the developers were unrelated. Majority of the apps were also shown to originate from Indonesia as the country s name was visible with the apps. ALSO READ: Gooligan Android malware compromises over 1 million Google accounts
Both malicious domains used resolve to sinkholes. If developers were the attack[er]s behind all these, they could have replaced them with working domains to cause real damage. One infected sample attempts to download windows executable file. It suggests that the attacker does not know about the target platform. Clearly, this is not the case for app developers, the first said in a blog post.
Among these infected pages, one is said to have attempted to download and install a malicious windows.exe file while the page is being loaded. But since the platform is Android, the Windows malware cannot be executed. Although the infected apps will not affect the Android devices, the blog post highlights that it shouldn t be taken lightly since it shows how other platforms can be a carrier for malware too. The blog post further elaborates saying that attackers can easily replace the current malicious domains with advertising URLs to generate revenue. This not only steals revenue from app developers, but also can damage the developers reputation .
BONUS VIDEO: BlackBerry KEYone First Look