Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Android Apps Carrying Windows Malware Yanked From Google Play

Google recently removed 145 applications from Google Play after they were found to carry malicious Windows executables inside, Palo Alto Networks reveals.

Google recently removed 145 applications from Google Play after they were found to carry malicious Windows executables inside, Palo Alto Networks reveals.

Most of the infected applications, Palo Alto’s researchers say, were uploaded to the application store between October and November 2017 and remained there for over half a year. Google removed all of them after being alerted on the issue.

While not representing a threat to the Android users who downloaded and installed them, the malicious code within these APKs is proof of the dangers posed by supply chain attacks: the software developers built these applications on compromised Windows systems.

Some of the infected Android applications had over 1000 downloads and 4-star ratings before being removed from Google Play.

The security researchers discovered that some of the infected APKs contained multiple malicious PE files at different locations, with different names. However, two malicious files were found embedded in most applications.

One of the files was present in 142 APKs, while the second had infected 21 APKs. The security firm also found 15 apps with both PE files inside, as well as some APKs with a number of other malicious PE files inside.

The researchers also note that one malicious PE file that infected most of the Android apps was a keylogger. The malicious program attempted to log keystrokes, including sensitive information like credit card numbers, social security numbers and passwords.

To appear legitimate, these files use fake names, including Android.exe, my music.exe, COPY_DOKKEP.exe, js.exe, gallery.exe, images.exe, msn.exe and css.exe.

When executed on Windows systems, the malicious PE files would create executable and hidden files in Windows system folders, including copies of themselves, would change Windows registry to auto-start after system restart, would attempt to sleep for long periods of time, and also showed suspicious network connection activities to IP address via port 8829.

“Interestingly, we saw a mixture of infected and non-infected apps from the same developers. We believe the reason might be that developers used different development env
ironment for different apps,” Palo Alto Networks says.

The malicious PE files cannot directly run on Android devices, but, if the APK is unpacked on a Windows machine and malicious code executed, the system becomes infected. As Palo Alto Networks points out, the situation could become much worse if the developers are infected with malicious files that can run on Android.

“The development environment is a critical part of the software development life cycle. We should always try to secure it first. Otherwise other security countermeasures could just be attempts in vain,” the security firm concludes.

 Related: Apps Containing Malicious IFrames Found on Google Play

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.