Hundreds of Android Apps are Attacking Phones With Windows Malware

Read Time: 2 min.

The dangers of insecure Android and Windows platforms laid bare, as defunct malware botnet lives on…

It’s not often that malware is actually useful, but a recent development provides a valuable insight into vulnerability management without any collateral damage.

Researchers have spotted a large selection of Android apps containing malware, but with a difference - it’s Windows malware.

In an unusual twist, the researchers with Zscaler uncovered more than 150 Android apps containing the same malicious Windows payload, originally discovered in Android apps last year. The reason behind this apparently quixotic incident is that the app developers are using machines that were infected with the now-defunct botnet Ramnit.

The latter appeared in 2011 and reached a scale of around a million Windows PCs around the world, but it was taken offline by a European law enforcement operation in 2015. However, the Ramnit malware was particularly adept at persisting and propagating through programming platforms, and any apps subsequently created using these platform tools contain malicious iframes that can load a domain with potentially dangerous code. Specifically, the Ramnit worm spreads by infecting all available EXE, DLL, HTML, and HTM files on the compromised Windows system. If the developer’s system is infected with this worm, it will inject a malicious iFrame in the HTM/HTML files in the source code of Android projects that eventually end up in the APK.

As the Zscaler researchers noted in a blogpost: “ This is not a new threat. Similar infected apps have been found by other researchers, in which the app author’s development platform was probably infected with this malware that injects the malicious iFrame on all HTML files found on the system. It is surprising to see that the trend of APKs infected with Windows malware has continued for almost a year. ”

That trend is just one example of poor DevSecOps practice, which only through luck has not had more serious impact. The dangers of undocumented or out-of date applications have been well-publicised, but clearly there is still work for organisations and developers to do.

Ilia Kolochenko, CEO, High-Tech Bridge said: “ First of all, companies should maintain a comprehensive and up2date inventory of their IT systems. It is enough to forget about one tiny web application to get attackers on board. Some people may argue that it’s a very challenging and time-consuming task, but it’s much easier than most people think.

“ To help companies tackle this problem, at High-Tech Bridge we launched a free discovery service that enumerates your external mobile and web apps, as well as their APIs. Once you have inventory of your digital assets, you can continue with patch management, security hardening, threat hunting and anomaly monitoring – without the risk of ruining all your efforts by one forgotten app. ”

On the bright side, not only is there no specific Android exploit to worry about in this case, but all the malicious domains from the iframes were sinkholed from DNS servers in 2015, and Google has removed the offending apps from the Play Store for good measure.

There are still plenty of Android applications that sail very close to the wind, however, with a recent survey of Android apps conducted using High-Tech Bridge’s free online service “Mobile X-Ray” finding at least one OWASP Mobile Top Ten vulnerability in 97 per cent of applications. Indeed, more than 78% of applications have at least one high and two medium risk vulnerabilities, and a feeble 30 per cent of applications follow secure-coding best practices and guidelines.

Of the OWASP Mobile Top Ten vulnerabilities detected in nearly 75,000 applications scanned by Mobile X-Ray to date, the vast majority (51.54 per cent) involve either improper platform usage or insecure data storage - another unwelcome trend to watch out for in the future...