132 Android apps found in the Google Play Store exploiting malicious iFrames

One of the apps tried – and failed – to push out Windows malware.

Malicous android apps

More than one hundred Android apps on Google's Play Store have been found to exploit hidden iFrames that pull code from malicious domains.

The compromised apps all use Android WebView to display static HTML pages, and range in topics from gardening to cheesecake.

Google play 2

One of the infected apps and its code. (Source: Unit 42)

Android WebView lets the apps load pictures and hard-coded text. But each of them contains a secret. Palo Alto Networks' Unit 42 researchers Xiao Zhang, Wenjun Hu, and Shawn Jin elaborate on this point in a blog post:

"Each HTML page only displays pictures and text. However, at the end of each HTML page, a tiny hidden iFrame component has been added. We have observed two techniques used to hide this iFrame. One is to make the iFrame tiny by setting its height and width to be 1 pixel. The other one is to set the display attribute in the iFrame specification to None. Finally, to evade detection based on simple string matching, the source URLs are obfuscated using HTML number codes."

The iFrames all converge on two domains that Poland's Computer Emergency Response Team (CERT) previously sinkholed back in 2013. Because of this, the domains aren't pushing out any malware at this time. Android users can therefore breathe a sigh of relief.

Not all of the apps behave the same, however.

In one curious case, an app's HTML page doesn't contain a malicious iFrame, but instead makes an attempt (which fails on Android devices) to drop a malicious Windows executable:

During our investigation, we also identified a sample that didn’t contain an infected IFrame, but an entire VBScript was injected into the HTML. The script contained a Base64 encoded Windows executable that (on a Windows system) the script would decode, write to the file system, and execute. Since VBScript is a proprietary Microsoft Windows scripting language, the script is inert and does not execute on the Android platform: this piece of code will not cause damage to Android users.

Google play 5

An attempt to drop a Windows executable file. (Source: Unit 42)

So why did these developers decide to include these techniques in their apps?

Chances are, these seven different and unrelated app developers aren't the ones to blame. Unit 42 found that all of the developers have ties to Indonesia. For this reason, not to mention similarities in the apps' coding structure, the researchers believe these developers might have used the same app generation platform that contained an infected IDE.

Google has removed all these apps from its Play Store as of this writing.

As we all know, however, these aren't the first malicious apps to appear on Google's official app marketplace, and they almost certainly won't be the last.

Users should therefore consider having an anti-virus solution installed on their mobile devices. Such tools don't provide comprehensive protection, but they can help to identify malicious domains such as the ones linked to by these apps' IFrames.

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, ,

One Response

  1. telwebb

    March 3, 2017 at 11:17 am #

    I appreciate that those apps affected have been removed from playstore, but how can you find out if you have one of them already installed?
    Thanks

Leave a Reply