Google Play Removes Infected Apps

Thursday, March 2, 2017 @ 05:03 PM gHale


Google removed 132 Android apps from Google Play because, unbeknownst to their developers, they had hidden iFrames that linked to malicious domains.

While that is bad news, on the bright side, users were in no immediate danger because the malicious domains ended up sinkholed by the Polish CERT in 2013.

RELATED STORIES
Android Ransomware on Rise: Report
Android Ransomware Uses Voice Recognition
Trojan Downloader Tricks Android Users
Trojan Hits Android Devices

Also, one of the infected pages attempted to download and install a malicious Microsoft Windows executable file – OS-specific malware that would not work on Android.

Palo Alto Networks researchers discovered the bad apps, with the most popular one having more than 10,000 installs alone, which ended up linked to seven different, unrelated developers that all seem located in Indonesia or have ties to the country.

Palo Alto researchers said the developers’ development platforms ended up infected with malware that searches for HTML pages and injects malicious content at the end of the HTML pages it finds. Alternatively, it’s possible they may have downloaded an infected Integrated development environment from the same hosting website or they used the same infected online app generation platform.

All in all, the developers seem not to have had malicious intentions. They just appeared to be victims.

“It’s easy to envision a more focused and successful attack: An attacker could easily replace the current malicious domains with advertising URLs to generate revenue,” researchers said in a blog post. “This not only steals revenue from app developers, but also can damages the developers’ reputation. Secondly, aggressive attackers could place malicious scripts on the remote server and utilize the JavaScriptInterface to access the infected apps’ native functionality.

“Through this vector, all resources within the app would be available to the attackers and under their control. They could also operate silently to replace the developer’s designated server with their own, and as a result, whatever information that was sent to developer’s server now falls in hands of the attacker. Advanced attackers can also directly modify the app’s internal logic, i.e., adding rooting utility, declaring additional permissions, or dropping malicious APK file, to escalate their capabilities,” Palo Alto researchers said.



Leave a Reply

You must be logged in to post a comment.