Key-logging crims hide Windows malware in 145 apps on Google Play

Are Android developers building apps on seriously compromised Windows PCs?

Cybercriminals are experimenting with a new way to infect Windows PCs, not through malicious email attachments in spam or compromised websites, but infected Android apps that are harmless to Android but a threat to Windows users exploring Android apps. 

Google recently removed 145 Google Play Android apps after researchers from Palo Alto Networks Unit 42 discovered a series of Android package (APK) files that can’t possibly cause harm to Android devices but do contain embedded and malicious binaries that run exclusively on Windows PCs and can harm their users by stealing credit card numbers and passwords typed on Windows machines. 

One oddity was that it appeared the (APK) files were built on compromised Windows PCs that were infected with malware. Hence, Palo Alto Networks’s Unit 42 researchers put this in the class of malware known as a “supply chain attack”, where an innocent third party developer is abused to compromise other intended targets, such as the case of the NotPetya not-ransomware attack that deeply affected several global organizations via an accounting software package used exclusively in Ukraine. 

The apps were available on the Play Store between October 2017 and November 2017, and the security firm says they were available on Google’s official app store for more than six months, meaning Google only recently removed them. Some of the apps were downloaded more than 1,000 times and had the benefit of 4-star ratings.

The finding is a new twist on Unit 42’s discovery of 132 Android apps on the Play Store with hidden iFrame that linked to web pages that loaded Windows malware. Again, they believed the apps were victims of a supply chain attack. However, Sophos researchers argued it was actually the work of a single bad Android developer. 

This time, Unit 42 says that some of the same developers had released infected and non-infected apps, which could be because the developers used different Android development environments to build their Android apps.

The apps themselves were fairly innocuous looking, and don’t appear to target specific types of people. One included “Learn to Draw Clothing”, another was “Gymnastics Training Tutorial” to help people find new workout moves. Another was “Modification Trail”, which displayed images of trail bike modification ideas. In other words, anyone with a bit of cash to spend.

The main pattern they found was that the malicious-to-Windows APK files mostly contained two Portable Executable (PE) files for Windows, which are used for file types like .exe or DLLs.

One of the PE files is widely recognized by antivirus firms as a malicious file called “images.exe”, which was embedded in 142 APK files. A second called “bdfabde9e45693a2_ground.exe” infected 21 APK files. 15 APK files had both of them. The researchers’ conclusion: “These developers’ machines may be seriously infected by various malware families.”

The main purpose of the malicious PE files analyzed was key-logging, suggesting this was a concerted cybercriminal enterprise that is surreptitiously spreading Windows key-logging malware through Android apps on Google Play to capture credentials, and other potentially high value numbers such as banking card details and social security numbers for identity fraud. 

“The malicious PE files cannot directly run on the Android hosts. However, if the APK file is unpacked on a Windows machine and the PE files are accidentally executed, or the developers also issue Windows-based software, or if the developers are infected with malicious files runnable on Android platforms, the situation will go much worse,” write Unit 42 researchers. 

To hide on Windows machines infected via Android apps, the files use names like “Android.exe”, “my music.exe”, “COPY_DOKKEP.exe”, “js.exe”, “gallery.exe”, “images.exe”, “msn.exe” and “css.exe”.­    

The malware causes harm when an Android APK file is unpacked or extracted on a Windows machine. This would suggest it’s aimed at Android users with Windows machines who are curious about exploring the internals of an Android app, but are not necessarily developers. To do this, users would typically use popular tools such as WinZip or WinRar to extract a .rar to inspect the .apk file.

Tags cybercrimeAndroidWindowsGoogle PlayPlay storekeylogge

Show Comments