Connect with us

Hi, what are you looking for?


Mobile & Wireless

Apps Containing Malicious IFrames Found on Google Play

Recent analysis has found 132 Android applications in the official Google Play app store that have been infected with tiny hidden IFrames linking to malicious domains, Palo Alto Networks researchers warn.

Recent analysis has found 132 Android applications in the official Google Play app store that have been infected with tiny hidden IFrames linking to malicious domains, Palo Alto Networks researchers warn.

The IFrames were found in the applications’ local HTML pages, which is most probably the result of the app developers’ development platforms being infected. According to Palo Alto’s security researchers, the malware infecting these platforms might have been designed to search for HTML pages and inject malicious content at the end of the found pages.

This also means that the mobile malware originated from infected development platforms without developers’ awareness. Previous examples of similar issues include the XcodeGhost compiler malware designed to target iOS and OS X, and the Vpon ad SDK for iOS.

The most popular of the newly discovered infected Android apps had more than 10,000 installs, the researchers note. The Google Security Team was already informed on the matter and all infected apps have been removed from Google Play.

What the infected apps had in common was the use of Android WebView to display static HTML pages, with each page seemingly doing nothing more than loading locally stored pictures and showing hard-coded text. However, the researchers discovered that the actual HTML code included a tiny hidden IFrame linking to well-known malicious domains.

The linked domains were down at the time of investigation, but the security researchers say that one of the infected pages also attempted to download and install a malicious Microsoft Windows executable file (which didn’t execute, since the device wasn’t running Windows). This behavior, however, is classified as Non-Android Threat, a category that includes apps that, although unable to cause harm to the user or Android device, contain components potentially harmful to other platforms.

The infected Android apps were also found to only require Internet permission and to be able to load interstitial advertisements, in addition to the main app. The latter ability, researchers say, instantiates an Android WebView component and displays a local HTML page (the WebView component was also found to have JavaScriptInterface enabled).

Advertisement. Scroll to continue reading.

The IFrame was hidden in the infected HTML pages either by being tiny (it featured width and height of 1pixel), or by having the display attribute set to None. To ensure that detection based on simple string matching is avoided, the source URLs were obfuscated using HTML number codes, the researchers discovered. Eventually, the linked domains were revealed to be www[.]Brenz[.]pl/rc/ and jL[.]chura[.]pl/rc/, both of which were taken down in 2013 by the Polish CERT (, meaning that they are not hosting malware.

The security researchers also discovered a sample that contained entire VBScript injected into the HTML instead. The script contained a Base64-encoded Windows executable, meaning that it didn’t execute on Android. The code was found appended outside the <HTML> tag, meaning that it was an illegal HTML page, but browsers would attempt to render that anyway, for simplicity.

The 132 infected apps were found to belong to seven unrelated developers, though all of them have connections to Indonesia, with a significant number of discovered samples having the word “Indonesia” in their names. The security researchers also note that the HTML files have been infected with malicious IFrames either through file infecting viruses like Ramnit (threats that append IFrames to each HTML file found on compromised hosts) or through an infected IDE.

Palo Alto suggests that the developers are not malicious but victims in this attack, as all samples share similarities in their coding structure, which suggests they may be generated from the same platform, and because the malicious domains used to resolve to sinkholes. The fact that one sample attempts to download a Windows executable is also important, as it shows the attacker does not know about the target platform, which the app developers do.

The researchers warn that an attacker could use this attack method to point to active malicious domains, or could place malicious scripts on the remote server and utilize the JavaScriptInterface to access the infected apps’ native functionality. Thus, the attacker would be able to access all resources within the infected app and could replace them with their own, or could modify the app’s internal logic to add malicious capabilities.

Related: XcodeGhost Malware Updated to Target iOS 9

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

The February 2023 security updates for Android patch 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.