As much as 132 Google Play applications tried to infect Android users with Windows malware. However, security researchers suspect to believe that developers did not intentionally spawn the malicious apps.
Old Windows Malware May Infect Android Apps
According to Ars Technica, the suspected 132 Android apps from the official Google Play market were spawned by seven different developers. The apps mostly contained carefully concealed HTML-based iframe tags that connect to two malicious domains. To inject an entire Windows executable into the HTML, in the case of one application, Microsoft's Visual Basic language was used instead of iframes.
The suspected applications were equipped with two capabilities. One was to load the main app and one was to load interstitial ads. The main application loaded WebView components configured to allow JavaScript code to access the native functionality of the app.
According to Computerworld, considering that the Windows-based malware is incapable of executing on an Android device, it is unclear for what reason all the malicious coding work was done. Researchers from the security firm discovered the 132 Android apps, Palo Alto Networks, believe the developers didn't intentionally include the malicious executable and domains. They suspect that the developers instead unknowingly used the same infected programming platform to code the apps.
All the developers shared a geographic proximity to Indonesia. They are not malicious and, most likely, are victims of this attack. Researchers have come to this conclusion considering that all samples appear to be generated from the same platform, as they share similarities in their coding structure.
Potential Damages Due To Malware Infected Android Apps
The good news is that, currently, Android users don't have reasons to fear any damage caused by the infected apps. However, the malware may spread to other platforms. By attacking developers, the malware can impact end-users.
The focus on Windows-based malware and the dormant domains prevented the apps from posing a threat to the people who installed the apps. However, the researchers fear that it might have been possible for the malicious apps to be lead to real damage. Under one scenario, in case that the iframes would have linked to active domains, they could have used the JavaScript settings to access the native functionality of the apps.
All resources within the app would be available and under control of the hackers through this vector. The attackers could also replace the developer's designated server with their own. In this case, whatever information sent to the developer's server would fall in the hands of the hackers.
