Google removed 132 apps infected with malicious iFrames from its Google Play store after security researchers discovered a development platform used to create the apps was infected with malware and in turn compromised the apps.
Palo Alto Networks’ Unit 42 researchers said the apps were infected with hidden iFrames used in HTML files that linked to malicious domains. It estimated a half dozen Android developers were using the infected development platform and that there were an estimated 250,000 installs of the 132 rogue apps. The most popular of the apps had more than 10,000 installs, according to Unit 42.
“The developers of these infected apps can’t be blamed. They are the victims here,” said researcher Ryan Olson. He added, Android users were never at risk either. That’s because the malicious domains the apps linked to have been under the control of Poland’s Computer Emergency Response Team for the past three years.
Unit 42 said the app infections were similar to a 2015 rash of infections by XcodeGhost, also found by Palo Alto Networks. In that case, attackers infected 39 apps hosted on Apple’s App Store. Similar to this most recent infection, attackers hosted a malicious version of Apple’s Xcode development environment used to build iOS apps.
Unit 42 called the Android infections “accidental.” It suspects a group of Malaysian-based developers had their computers compromised by either the malware botnet Virut or the worm Ramnit. Once PCs were infected, Olson said, malware didn’t target executables, but instead infected Android APKs and inserted code that created the hidden iFrames in HTML files.
A subset of all infected samples on Google Play.
The function of the 132 Android apps was to download niche webpages for offline or cached viewing. When a user opened one of the websites, the HTML file would be infected and display a 1-by-1 pixel iFrame that pointed to a malicious domain that would either serve up ads or attempt to compromise the browser.
The potential harm to an Android device was zero for two reasons. One, because the malicious domains were under the control of Poland’s CERT. Additionally, infected HTML files were never designed to function within the Android ecosystem, but rather targeted Windows PCs, Olson said.
Unit 42 remarks that, similar to XcodeGhost, infections happened within the context of the development platform making detection by app security teams harder. “Developers may have been known and established. And any apps submitted were likely not red flagged, as they might be with a first-time developer,” Olson said.
“This does represent a novel way for platforms to be a ‘carrier’ for malware: not be infected themselves but spread the malware to other platforms without realizing it,” according the technical analysis of the infected apps.
Unit 42 said a more focused attack using this technique could be successful. “An attacker could easily replace the current malicious domains with advertising URLs to generate revenue… Secondly, aggressive attackers could place malicious scripts on the remote server and utilize a JavaScript interface to access the infected apps’ native functionality.”
Researchers said using this vector, all resources within the app would be available to the attackers and under their control. “They could also operate silently to replace the developer’s designated server with their own, and as a result, whatever information that was sent to developer’s server now falls in hands of the attacker,” according to the report.
Unit 42 also warned this type attack could also allow attackers to directly modify the app’s internal logic and allow them to add a rooting utility, additional permissions or add additional malicious APK files to escalate an attacker’s capabilities.
