Security researchers from Unit 42 of Palo Alto Networks have just discovered Google Play Apps infected with malicious Windows Executable files.
These infected apps specifically include teaching and tutorial apps – Learn to Draw Clothing (teaching people how to draw design clothing), Gymnastics Training (tutorial about gymnastics moves), and Modification Trail (an app showing ideas of trail bike modification). Surprisingly, these apps do not pose any threat to Android devices, even though they are engineered specifically for that type of operating system. According to the security researchers, the infected APKs were created using Windows systems infected with malwares, so they are specifically created to infect only Windows OS.
According to Palo Alto, most of the infected apps were distributed via Google Play platform between October and November 2017, which means that the apps have been in circulation for almost one year. These apps have been rated 4-stars and downloaded more than 1,000 times.
The interesting part of these apps’ malicious nature is that they are plagued with Keyloggers. Once the apps are downloaded, it automatically performs a wide assortment of dubious activities once executed on a Windows system which includes creation of hidden folders/files, and executables. These executable files are coded to connect to a suspicious network address (188.8.131.52 via port 8829) and modify Windows registry systems to restart themselves automatically. The Keyloggers, once embedded can record keystrokes on Windows systems – meaning passwords, credit card information and personal data can be easily obtained.
We’ve seen a lot of malicious apps in Play Store posing as legitimate and trusted. But in reality, these apps are being hosted by 3rd-party app stores connecting to Google Play Store.
Even though the apps cannot run directly or infect Android systems, they do post a threat to the supply chain. The fact that the attacks are designed for Windows platforms – one could obviously identify that the attackers themselves are more likely doing this for testing purposes and could be planning for one major campaign. The Palo Alto findings were immediately brought to Google and most of the infected apps were quickly removed from the Play Store.