{"id":6824,"date":"2017-03-01T14:30:26","date_gmt":"2017-03-01T22:30:26","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/03\/01\/news-615\/"},"modified":"2017-03-01T14:30:26","modified_gmt":"2017-03-01T22:30:26","slug":"news-615","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2017\/03\/01\/news-615\/","title":{"rendered":"Old Windows malware may have infected 132 Android apps"},"content":{"rendered":"<p><img decoding=\"async\" src=\"http:\/\/zapt2.staticworld.net\/images\/article\/2017\/03\/first-google-100711418-medium.jpg\"\/><\/p>\n<p><strong>Credit to Author: Michael Kan| Date: Wed, 01 Mar 2017 13:59:00 -0800<\/strong><\/p>\n<p>More than 130 Android apps on the Google Play store have been found to contain malicious coding, possibly because the developers were using infected computers, according to security researchers.<\/p>\n<p>The 132 apps were found generating hidden iframes, or an HTML document embedded inside a webpage, linking to two domains that have hosted malware, according to security firm Palo Alto Networks.<\/p>\n<p>Google has already removed the apps from its Play store. But what&#8217;s interesting is the developers behind the apps probably aren&#8217;t to blame for including the malicious code, Palo Alto Networks said in a Wednesday <a href=\"http:\/\/researchcenter.paloaltonetworks.com\/2017\/03\/unit42-google-play-apps-infected-malicious-iframes\/\" target=\"_blank\">blog post<\/a>.<\/p>\n<p>Instead, the platforms the developers used to build these apps were probably infected with malware that looks for HTML pages and then injects the malicious coding, the company said.<\/p>\n<p>Many of these tainted apps offered design ideas for things like cheesecakes, landscaping a garden, or laying out a patio. The most popular had more than 10,000 downloads.<\/p>\n<p>One of the apps found injected with malicious coding.\u00a0<\/p>\n<p>When installed, the apps would display seemingly benign webpages. However, in reality, the pages shown contain a tiny hidden iframe that links to two suspicious domains.<\/p>\n<p>Both domains were previously involved in hosting Windows malware. But in 2013, a Polish security team took over the domains, and they&#8217;ve effectively been shut down, Palo Alto Networks said. Nevertheless, Google still flags them as dangerous to visit.<\/p>\n<p>Why the apps were linking to two malicious, but defunct domains still isn&#8217;t clear. However, Palo Alto Networks also came across one peculiar app sample that didn&#8217;t contain the problematic iframes, but instead a Microsoft Visual Basic script used for Windows.<\/p>\n<p>It&#8217;s an odd thing to include, given that the script won&#8217;t harm any Android users. But it&#8217;s\u00a0possible the developers behind these apps had their Windows machines infected with malware.<\/p>\n<p>Some malware, such as the Window-based Ramnit, have been known to search for files on a computer and inject them with malicious coding, Palo Alto Networks said. &#8220;After infecting a Windows host, these viruses search the hard drive for HTML files and append iFrames to each document,&#8221; the company said.<\/p>\n<p>&#8220;If a developer was infected with one of these viruses, their app&#8217;s HTML files could be infected,&#8221; Palo Alto Networks added.<\/p>\n<p>In another scenario, it&#8217;s possible the app makers downloaded developer tools that were already tainted with the malicious coding.<\/p>\n<p>Because these 132 apps linked to two now defunct malicious domains, they actually don&#8217;t pose much of a threat. It may be that whoever tampered with these apps did so accidentally.<\/p>\n<p>&#8220;File infecting viruses can bounce around for years, even after these domains are taken offline,&#8221; Ryan Olson, intelligence director at Palo Alto Networks, said in an email.<\/p>\n<p>&#8220;They also typically infect executable files and copy themselves to USB and shared drives,&#8221; he added. &#8220;The malware that wrote the iframe to these files was probably released before the domains were sinkholed.&#8221;<\/p>\n<p>Still, the bigger worry is that someone else might try to replicate the attack to cause actual danger, like secretly infecting developer apps to steal users&#8217; information or drop other strains of malware.<\/p>\n<p>&#8220;It&#8217;s easy to envision a more focused and successful attack,&#8221; Palo Alto Networks said in its blog post.<\/p>\n<p>The developers of the 132 apps come from seven different parties, but appear to all have ties with Indonesia, the security firm said.\u00a0<\/p>\n<p><a href=\"http:\/\/www.computerworld.com\/article\/3176174\/security\/old-windows-malware-may-have-infected-132-android-apps.html#tk.rss_security\" target=\"bwo\" >http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"http:\/\/zapt2.staticworld.net\/images\/article\/2017\/03\/first-google-100711418-medium.jpg\"\/><\/p>\n<p><strong>Credit to Author: Michael Kan| Date: Wed, 01 Mar 2017 13:59:00 -0800<\/strong><\/p>\n<article>\n<section class=\"page\">\n<p>More than 130 Android apps on the Google Play store have been found to contain malicious coding, possibly because the developers were using infected computers, according to security researchers.<\/p>\n<p>The 132 apps were found generating hidden iframes, or an HTML document embedded inside a webpage, linking to two domains that have hosted malware, according to security firm Palo Alto Networks.<\/p>\n<p>Google has already removed the apps from its Play store. But what&#8217;s interesting is the developers behind the apps probably aren&#8217;t to blame for including the malicious code, Palo Alto Networks said in a Wednesday <a href=\"http:\/\/researchcenter.paloaltonetworks.com\/2017\/03\/unit42-google-play-apps-infected-malicious-iframes\/\" target=\"_blank\">blog post<\/a>.<\/p>\n<p class=\"jumpTag\"><a href=\"\/article\/3176174\/security\/old-windows-malware-may-have-infected-132-android-apps.html#jump\">To read this article in full or to leave a comment, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[10462,714],"class_list":["post-6824","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-android","tag-security"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6824","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=6824"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6824\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=6824"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=6824"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=6824"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}