More than one hundred Android apps on Google’s Play Store have been found to exploit hidden iFrames that pull code from malicious domains.
The compromised apps all use Android WebView to display static HTML pages, and range in topics from gardening to cheesecake.
Android WebView lets the apps load pictures and hard-coded text. But each of them contains a secret. Palo Alto Networks’ Unit 42 researchers Xiao Zhang, Wenjun Hu, and Shawn Jin elaborate on this point in a blog post:
“Each HTML page only displays pictures and text. However, at the end of each HTML page, a tiny hidden iFrame component has been added. We have observed two techniques used to hide this iFrame. One is to make the iFrame tiny by setting its height and width to be 1 pixel. The other one is to set the display attribute in the iFrame specification to None. Finally, to evade detection based on simple string matching, the source URLs are obfuscated using HTML number codes.”
The iFrames all converge on two domains that Poland’s Computer Emergency Response Team (CERT) previously sinkholed back in 2013. Because of this, the domains aren’t pushing out any malware at this time. Android users can therefore breathe a sigh of relief.
Not all of the apps behave the same, however.
In one curious case, an app’s HTML page doesn’t contain a malicious iFrame, but instead makes an attempt (which fails on Android devices) to drop a malicious Windows executable:
During our investigation, we also identified a sample that didn’t contain an infected IFrame, but an entire VBScript was injected into the HTML. The script contained a Base64 encoded Windows executable that (on a Windows system) the script would decode, write to the file system, and execute. Since VBScript is a proprietary Microsoft Windows scripting language, the script is inert and does not execute on the Android platform: this piece of code will not cause damage to Android users.
So why did these developers decide to include these techniques in their apps?
Chances are, these seven different and unrelated app developers aren’t the ones to blame. Unit 42 found that all of the developers have ties to Indonesia. For this reason, not to mention similarities in the apps’ coding structure, the researchers believe these developers might have used the same app generation platform that contained an infected IDE.
Google has removed all these apps from its Play Store as of this writing.
As we all know, however, these aren’t the first malicious apps to appear on Google’s official app marketplace, and they almost certainly won’t be the last.
Users should therefore consider having an anti-virus solution installed on their mobile devices. Such tools don’t provide comprehensive protection, but they can help to identify malicious domains such as the ones linked to by these apps’ IFrames.