It's a mystery that left researchers scratching their heads: 132 Android apps in the official Google Play market attempted to infect users with... Windows malware.

The apps, which were spawned by seven different developers, mostly contained carefully concealed HTML-based iframe tags that connected to two heavily obfuscated malicious domains. In one case, an app didn't use iframes but instead used Microsoft's Visual Basic language to inject an entire obfuscated Windows executable into the HTML. The apps were equipped with two capabilities. One was to load interstitial ads, and the other was to load the main app. The main apps loaded WebView components that were configured to allow loaded JavaScript code to access the app's native functionality.

That was a lot of work considering that the Windows-based malware was incapable of executing on an Android device. On top of that, the two malicious domains in the iframes—brenz.pl and chura.pl—were taken over by Polish security authorities in 2013. So what, precisely, was going on?

Researchers from Palo Alto Networks—the security firm that discovered the 132 Android apps and reported them to Google so they could be removed—believe the developers didn't intentionally include the malicious domains and executable. Instead, the researchers suspect that the developers unknowingly used the same infected programming platform to code the apps. A key reason behind the theory: the developers all shared a geographic proximity to Indonesia, and a significant number of them included the word "Indonesia" in their app names. In a blog post published Wednesday, the researchers wrote:

One common way HTML files have been infected with malicious IFrames has been through file infecting viruses like Ramnit. After infecting a Windows host, these viruses search the hard drive for HTML files and append IFrames to each document. If a developer was infected with one of these viruses, their app’s HTML files could be infected. However, given that the developers may all be Indonesia [sic], it’s also possible they may have downloaded an infected [integrated developer environment] from the same hosting website or they used the same infected online app generation platform. In either case, we believe the developers are not malicious and are victims in this attack. There are a few other pieces of supporting evidences from our investigation: All samples share similarities in their coding structure, suggesting that they may be generated from the same platform;

Both malicious domains used resolve to sinkholes. If developers were the attack[er]s behind all these, they could have replaced them with working domains to cause real damage;

One infected sample attempts to download windows executable file. It suggests that the attacker does not know about the target platform. Clearly, this is not the case for app developers. Potential Damages and Mitigation Currently, infected apps will not cause damage to Android users. However, this does represent a novel way for platforms to be a “carrier” for malware: not be infected themselves but spread the malware to other platforms without realizing it. Similar to the XcodeGhost attack we identified in 2015, this threat shows how attacking developers can impact end-users.

The dormant domains and the focus on Windows-based malware prevented the apps from posing a threat to the more than 10,000 people who installed the apps. But the researchers said it might have been possible for the apps to be much more malicious. Under one scenario, the iframes could have linked to active domains that used the JavaScript settings to access the apps' native functionality.

"Through this vector, all resources within the app would be available to the attackers and under their control," the researchers wrote. "They could also operate silently to replace the developer's designated server with their own, and as a result, whatever information that was sent to the developer's server now falls in the hands of the attacker. Advanced attackers can also directly modify the app's internal logic, i.e., adding rooting utility, declaring additional permissions, or dropping malicious APK file, to escalate their capabilities."