Recent analysis has found 132 Android applications in the official Google Play app store that have been infected with tiny hidden IFrames linking to malicious domains, Palo Alto Networks researchers warn.
The IFrames were found in the applications’ local HTML pages, which is most probably the result of the app developers’ development platforms being infected. According to Palo Alto’s security researchers, the malware infecting these platforms might have been designed to search for HTML pages and inject malicious content at the end of the found pages.
This also means that the mobile malware originated from infected development platforms without developers’ awareness. Previous examples of similar issues include the XcodeGhost compiler malware designed to target iOS and OS X, and the Vpon ad SDK for iOS.
The most popular of the newly discovered infected Android apps had more than 10,000 installs, the researchers note. The Google Security Team was already informed on the matter and all infected apps have been removed from Google Play.
What the infected apps had in common was the use of Android WebView to display static HTML pages, with each page seemingly doing nothing more than loading locally stored pictures and showing hard-coded text. However, the researchers discovered that the actual HTML code included a tiny hidden IFrame linking to well-known malicious domains.
The linked domains were down at the time of investigation, but the security researchers say that one of the infected pages also attempted to download and install a malicious Microsoft Windows executable file (which didn’t execute, since the device wasn’t running Windows). This behavior, however, is classified as Non-Android Threat, a category that includes apps that, although unable to cause harm to the user or Android device, contain components potentially harmful to other platforms.
The infected Android apps were also found to only require Internet permission and to be able to load interstitial advertisements, in addition to the main app. The latter ability, researchers say, instantiates an Android WebView component and displays a local HTML page (the WebView component was also found to have JavaScriptInterface enabled).
The IFrame was hidden in the infected HTML pages either by being tiny (it featured width and height of 1pixel), or by having the display attribute set to None. To ensure that detection based on simple string matching is avoided, the source URLs were obfuscated using HTML number codes, the researchers discovered. Eventually, the linked domains were revealed to be www[.]Brenz[.]pl/rc/ and jL[.]chura[.]pl/rc/, both of which were taken down in 2013 by the Polish CERT (cert.pl), meaning that they are not hosting malware.
The security researchers also discovered a sample that contained entire VBScript injected into the HTML instead. The script contained a Base64-encoded Windows executable, meaning that it didn’t execute on Android. The code was found appended outside the <HTML> tag, meaning that it was an illegal HTML page, but browsers would attempt to render that anyway, for simplicity.
The 132 infected apps were found to belong to seven unrelated developers, though all of them have connections to Indonesia, with a significant number of discovered samples having the word “Indonesia” in their names. The security researchers also note that the HTML files have been infected with malicious IFrames either through file infecting viruses like Ramnit (threats that append IFrames to each HTML file found on compromised hosts) or through an infected IDE.
Palo Alto suggests that the developers are not malicious but victims in this attack, as all samples share similarities in their coding structure, which suggests they may be generated from the same platform, and because the malicious domains used to resolve to sinkholes. The fact that one sample attempts to download a Windows executable is also important, as it shows the attacker does not know about the target platform, which the app developers do.
The researchers warn that an attacker could use this attack method to point to active malicious domains, or could place malicious scripts on the remote server and utilize the JavaScriptInterface to access the infected apps’ native functionality. Thus, the attacker would be able to access all resources within the infected app and could replace them with their own, or could modify the app’s internal logic to add malicious capabilities.
