Cyber Security researchers from Palo Alto Networks discovered on Google Play 145 Android mobile apps containing malicious code. Some of them count over 1,000 downloads and also have 4-star ratings
Cyber Security researchers from Palo Alto Networks Unit 42 have discovered on Google Play 145 Android mobile apps containing malicious code in the form of executables for Microsoft Windows. Most of the infected apps were released between October-November 2017, which means that these apps have been on Google Play for more than seven months without being recognized as dangerous. Some of them count over 1,000 downloads and also have 4-star ratings. The discoverers promptly informed Google of the presence of these malicious applications that were promptly removed from the official store. The fact that APKs of these apps are infected means that the developers have created their software on compromised Windows systems, that have in turn been infected by malware. It is assumed that the developers may have been unknowingly involved in targeted attacks just to compromise the production line of the software, as already happened several times.
What the malicious PE executable files try to do
In some of the cases analyzed by the cyber security experts, the same APK file contained more than one malicious PE executable file placed in the code in different locations, with different names apparently not suspicious (for example, “Android.exe”, “my music.exe”, “COPY_DOKKEP .exe “,” js.exe “,” gallery.exe “,” images.exe “,” msn.exe “and” css.exe “). The Palo Alto networks Unit 42 researchers identified in particular two PE files embedded in all the infected apps, one of them with a keylogger function. In general, the executables identified by the researchers carry out the following malicious actions if launched on Windows machines: create executable files and hidden files in various system folders, including copies of the malware itself; modify the Windows registry to be automatically executed upon reboot; they remain inactive for a long period of time; attempt to connect to a specific IP address on port 8829.
The Italian National CERT: To avoid falling victim to this type of malware not to download apps from unofficial stores, to carefully check the reputation of an app of dubious origin on Google Play and to install and maintain an updated antivirus solution on their device
The Italian National CERT emphasized that infected apps do not pose a threat to Android devices because the malicious code embedded in them can only be run on Windows systems. However, these apps could be a real cyber threat if the infected APKs were downloaded and unpacked on a Windows PC and the PE executables inadvertently launched, or if the same developer used the infected machine to also produce Windows applications. To avoid falling victim to this type of malware, the Italian cyber security exports recommend users of Android devices not to download apps from unofficial stores, to carefully check the reputation of an app of dubious origin on Google Play and to install and maintain an updated antivirus solution on their device.