Researchers have found up to 145 Android apps on the Google Play store infected by malicious Microsoft Windows executable files capable of planting key-loggers on Windows systems.
Researchers at Palo Alto Networks’ Unit 42 said Monday that they suspect that the Android app developers involved were likely unwitting accomplices in the situation: Rather, they were creating software on compromised Windows systems, unbeknownst to them.
“Notably, the infected APK files do not pose any threat to Android devices, as these embedded Windows executable binaries can only run on Windows systems: They are inert and ineffective on the Android platform,” the researchers said in a post. “The fact that these APK files are infected indicates that the developers are creating the software on compromised Windows systems that are infected with malware.”
The infected apps included an app teaching people how to draw and design clothing (Learn to Draw Clothing), an app showing images of trail bike modification ideas (Modification Trail), and an app letting people find healthy ideas for gymnastic moves (Gymnastics Training Tutorial).
“Interestingly, we saw a mixture of infected and non-infected apps from the same developers,” researchers said. “We believe the reason might be that developers used different development environment for different apps.”
Palo Alto noted that many of the infected apps were released to Google Play between October 2017 and November 2017 – meaning they have been in the app store for more than half a year. Several of the infected apps have more than 1,000 installations and four-star ratings. Google did not respond to a request for comment from Threatpost, but Palo Alto researchers said the Google Security Team removed the apps from Google Play.
The key-logger that infected most of the apps attempts to log keystrokes on Windows systems, which can include sensitive information like credit-card numbers, Social Security numbers and passwords. These files contain fake names, including Android.exe, my music.exe and gallery.exe to make their appearance look legitimate.
Once downloaded, the malicious PE files also perform an array of other suspicious activities when executed on a Windows system, such as creating executable and hidden files in Windows system folders; changing Windows registry to auto-start themselves after restarting; and performing suspicious network connection activities to IP address 220.127.116.11 via port 8829.
While the malicious files cannot directly run on the Android hosts, they pose a threat to the software supply chain, targeting developers who may issue Windows-based software. Compromising software developers has proven to be an effective tactic for various wide-scale attacks, including KeRanger, XcodeGhost and the infamous NotPetya campaign.
Craig Young, computer security researcher for Tripwire, told Threatpost that the fact that some of the payloads delivered are for Windows rather than a mobile platform indicates that the attackers are likely testing this strategy and have not yet created full infrastructure in support of their campaign.
“This is an often-overlooked aspect of supply-chain insecurity,” he told us. “Malware authors have known for a long time that the best way to get malware installed on devices is to bundle it with software people want. In recent years, we’ve seen a lot of malware masquerading as legitimate apps, but typically these apps are only published in third-party app stores, and when they do make it into more reputable stores, they are not being widely installed. Android and iOS malware authors have since turned to infecting development kits, advertising libraries and other tools involved with app production. Similar to the XCodeGhost malware campaign on iOS, this attack involves manipulating app sources produced by unwitting app developers.”