Cyber-security researchers have just discovered hundreds of malicious Google Play Apps infected with Windows Executable files. These infected apps specifically include teaching and tutorial apps – Learn to Draw Clothing (teaching people how to draw design clothing), Gymnastics Training (tutorial about gymnastics moves), and Modification Trail (an app showing ideas of trail bike modification).
Surprisingly, these malware-laced apps do not pose any threat whatsoever to Android devices, even though they are engineered specifically for that type of operating system. According to the security researchers, the infected APKs were created using Windows systems infected with malwares, so they are specifically created to infect only Windows OS.
According to Palo Alto’s Unit 42, most of the infected apps were distributed via Google Play platform between October and November 2017, which means that the malicious apps have been in circulation for more than 6 months. After careful evaluation of the apps’ activities, these apps were rated 4-stars and they were downloaded and installed more than 1,000 times.
The interesting part of these apps’ malicious nature is that they are plagued with Keyloggers. Once the apps are downloaded, it automatically performs a wide assortment of dubious activities once executed on a Windows system which includes creation of hidden folders/files, and executables.
These executable files are coded to connect to a suspicious network address (220.127.116.11 via port 8829) and modify Windows registry systems to restart themselves automatically. The Keyloggers, once embedded can record keystrokes on Windows systems – meaning passwords, credit card information and personal data can be easily obtained.
We’ve seen a lot of malicious apps in Play Store posing as legitimate and trusted. But in reality, these apps are being hosted by 3rd-party app stores connecting to Google Play Store.
These makes them more accessible to hackers, and malware attackers exploit this type of activity – manipulating app sources from developers and injecting APKs with malicious contents to widely spread the infection.
As mentioned earlier, even though the apps cannot run directly or infect Android systems, they do post a threat to the supply chain. The fact that the attacks are designed for Windows platforms – one could obviously identify that the attackers themselves are more likely doing this for testing purposes and could be planning for one major campaign.
The researchers’ findings were immediately brought to Google and most of the infected apps were quickly removed from the Play Store.