Researchers from Palo Alto Networks have revealed that they discovered 132 Android apps on the Google Play store which were infected with “tiny hidden iFrames that link to malicious domains in their local HTML pages”.
The most popular one having more than 10,000 installs alone, the investigation indicates that the developers of these infected apps are not to blame, but are more likely victims themselves.
Xiao Zhang, Wenjun Hu and Shawn Jin said: “We believe it is most likely that the app developers' development platforms were infected with malware that searches for HTML pages and injects malicious content at the end of the HTML pages it finds.”
They add: “If this is this case, this is another situation where mobile malware originated from infected development platforms without developers' awareness. We have reported our findings to Google Security Team and all infected apps have been removed from Google Play.”
The infected apps the researchers observed included apps for design ideas ranging from cheesecake, to gardening and coffee tables.
What all the apps have in common is that they employ Android WebView to display static HTML pages. At the first glance, each page does nothing more than load locally stored pictures and show hard-coded text.
However, a deep analysis of the actual HTML code reveals a tiny hidden iFrame that links to well-known malicious domains. Although the linked domains were down at the time of investigation, the fact that so many apps on Google Play are infected is notable.
What is more notable, according to the researchers, is that one of the infected pages also attempts to download and install a malicious Microsoft Windows executable file at the time of page loading, but as the device is not running Windows, it will not execute.The researchers said: “This behaviour fits well in the Non-Android Threat category recently released by the Google Android Security. According to the classification, Non-Android Threat refers to apps that are unable to cause harm to the user or Android device, but contains components that are potentially harmful to other platforms.”