Palo Alto Networks, a network enterprise security firm, has now discovered at least 145 apps in the Google Play Store are embedded with Windows-based malware. These apps remain functional when installed in an Android device, and their Windows executable malware does not run in the Android ART environment. However, experts predict certain Android app developers have used some type of compromised Windows machine, inadvertently infected their apps with a Windows-based virus, all without their knowledge.
The apps with hidden Windows malware are not considered to be junky—in fact, they are apps with good standing in the store and at four-star ratings, having already been downloaded thousands of times. A malicious Windows executable file that is hidden and stored in an Android device does not pose any danger to the user—that is unless the device itself is connected to a Windows PC as an external storage device. If the executable file is somehow able to run through a user-intervention, perhaps—but that is highly unlikely.
Developers need to ensure their development is virus free, as this kind of negligence could seriously damage the reputation of their apps. Google has reportedly removed the 145 apps from the Google Play Store, but it is still unknown if the company was able to execute a kill switch on user devices, thereby removing the offending apps automatically.
Upon further inspection, Palo Alto Networks identified the 145 apps were published in Google Play Store from October to November 2017. One month is plenty of time for unsuspecting users to download these bad apps thousands of time. Google also discovered the infected apps all came from the same groups of developers. After close scrutiny, it was discovered the Windows-based malware came from different known families of viruses that were already identified by mainstream Windows antimalware apps. Examples of the embedded viruses were keyloggers, credit card theft malware, and password-stealing viruses.
Some apps were named in the report: Idea Pattern Shirt, Learn to Draw Clothing, and Gymnastics Training Tutorial. Developers of these apps are expected to release a clean version soon to replace the malicious versions posted and removed by the Google Play team.
The potential danger of an Android app harboring a hidden Windows malware can only take effect when the device gets connected to a Windows PC, the Android Runtime environment ignores .exe files and cannot execute. Once they are executed in a Windows environment, it will take control of the machine by infecting the registry. It will also insert an entry that will keep the malware running automatically and perform network command and control communication with public IP 22.214.171.124 using port 8829. A simple deletion of the infected files will not suffice, as the autorun module, the virus installed in memory will create redundant virus files all over the Windows system folders.
A Palo Alto representative explains, “Infected APKs are not a threat to Android smartphones. The malware can only work on a computer that runs on Windows. Most of the infected apps were on Google Play between October 2017 and November 2017. We reported the problem to the Google security team and all infected apps were removed from the Play Store.”