Security Researchers at Palo Alto Networks have made a shocking new discovery that around 145 applications available on the Google Play Store contain malicious Microsoft Windows executable files. Some of the apps which have been infected with malware have already been downloaded more than a thousand times. Among the apps include learning and drawing apps, gymnastic tutorial apps etc.
The apps did not have malicious code that could infect Android mobile operating system. It requires a Windows system to be executed to infect the device as it contains malicious Microsoft Windows executable files. The Android devices get infected only if they are connected to a Windows computer and download any of the infected app’s source code to run the PE file hidden inside.
Anyhow the presence of these infected apps on the official Google Play Store is indeed concerning. It also shows that the software developer ‘odieapps’ is not giving much consideration to the security aspect of the apps.
The researchers at Palo Alto Networks researcher mentioned in their blog post that, these embedded Windows executable binaries can only run on Windows systems: they are inert and ineffective on the Android platform. The fact that these APK files are infected indicates that the developers are creating the software on compromised Windows systems that are infected with malware.
They claim that such an infection causes threat to the entire software supply chain because it gives way for a larger attack scale for KeRanger and NotPetya sort of malware.
Some of the malicious apps are Men’s Design Ideas, Gymnastics Training Tutorial, Learn to Draw Clothing, Modification Trial, Hair Paint Color etc.
Most of these apps contained Windows keylogger. The researchers claim that all the apps were infected with different types of Windows malware strains and were packed as Portable Executable files (PE). While some of the apps contain different malware infections, were infected multiple times and were developed by different developers. It was discovered that a specific PE file was present in the source code of 142 apps.
The malware strains and the keylogger got into the apps only after the app developers got infected with the malware, such as were developed on an infected OS. These infected apps were added to the Play Store between Oct 2017 and Nov 2017.
Another interesting thing is that these infected apps were in the Google Play for more than 6 months which indicates that they have been staying there undetected by Google for such a long duration. Google however withdrew all the infected apps from its official Play Store.