Security experts reported that the official Google Play store has removed 145 applications that were carrying Windows malware.
The malicious applications were uploaded to the Google Play store between October and November lat year, meaning that the Android users were exposed to the attack for months. According to the researchers, some of the apps have been downloaded thousands of times and were rated with 4-stars.
The malware included in the app code was created to compromise Windows systems and leverage the Android device as an attack vector.
“Notably, the infected APK files do not pose any threat to Android devices, as these embedded Windows executable binaries can only run on Windows systems: they are inert and ineffective on the Android platform.” the analysis by Palo Alto networks states.
“The fact that these APK files are infected indicates that the developers are creating the software on compromised Windows systems that are infected with malware. This type of infection is a threat to the software supply chain, as compromising software developers has proven to be an effective tactic for wide scale attacks.”
According to Palo Alto researchers, being executed on a Windows system, the malicious PE file performs the following suspicious activities:
- Creates executable and hidden files in Windows system folders, including copying itself
- Changes Windows registry to auto-start themselves after restarting
- Attempts to sleep for a long period
- Has suspicious network connection activities to IP address 18.104.22.168 via port 8829
According to the security researchers, the malicious PE files were embedded in most applications.
The experts also found that one of malware was included in 142 APKs, a second malicious code was found in 21 APKs. 15 apps in total were said to contain both PE files inside.
The hackers tried to conceive the PE files by using fake names disguised like legitimate, such as Android.exe, my music.exe, COPY_DOKKEP.exe, js.exe, gallery.exe, images.exe, msn.exe and css.exe.
According to the experts, not all the apps uploaded by the same developers were infected with the malicious files, probably because they were using different development platform.
“The malicious PE files cannot directly run on the Android hosts. However, if the APK file is unpacked on a Windows machine and the PE files are accidentally executed, or the developers also issue Windows-based software, or if the developers are infected with malicious files runnable on Android platforms, the situation will go much worse.” Palo Alto Networks says.
“The development environment is a critical part of the software development life cycle. We should always try to secure it first. Otherwise other security countermeasures could just be attempts in vain.”