Also, one of the infected pages attempted to download and install a malicious Microsoft Windows executable file – OS-specific malware that would not work on Android.
Palo Alto Networks researchers discovered the bad apps, with the most popular one having more than 10,000 installs alone, which ended up linked to seven different, unrelated developers that all seem located in Indonesia or have ties to the country.
Palo Alto researchers said the developers’ development platforms ended up infected with malware that searches for HTML pages and injects malicious content at the end of the HTML pages it finds. Alternatively, it’s possible they may have downloaded an infected Integrated development environment from the same hosting website or they used the same infected online app generation platform.
All in all, the developers seem not to have had malicious intentions. They just appeared to be victims.
“Through this vector, all resources within the app would be available to the attackers and under their control. They could also operate silently to replace the developer’s designated server with their own, and as a result, whatever information that was sent to developer’s server now falls in hands of the attacker. Advanced attackers can also directly modify the app’s internal logic, i.e., adding rooting utility, declaring additional permissions, or dropping malicious APK file, to escalate their capabilities,” Palo Alto researchers said.