Google has recently removed 132 Android apps from Google Play due to them containing in their local HTML pages hidden iFrames linking to malicious domains.
But even though some of these apps were downloaded by thousands of users, the users were in no immediate danger.
For one, the malicious domains were sinkholed by the Polish CERT all the way back in 2013. Secondly, one of the infected pages attempted to download and install a malicious Microsoft Windows executable file – OS-specific malware that would not work on Android.
The malicious apps were discovered by Palo Alto Networks researchers, and have been tied to seven different, unrelated developers that all seem located in Indonesia or have ties to the country.
The researchers believe that the developers’ development platforms were infected with malware that searches for HTML pages and injects malicious content at the end of the HTML pages it finds. Alternatively, it’s possible that they may have downloaded an infected Integrated development environment from the same hosting website or they used the same infected online app generation platform.
All in all, the developers seem not to have had malicious intentions.
Potential for attack
Still, as the researchers noted, “it’s easy to envision a more focused and successful attack: an attacker could easily replace the current malicious domains with advertising URLs to generate revenue.”
“Through this vector, all resources within the app would be available to the attackers and under their control. They could also operate silently to replace the developer’s designated server with their own, and as a result, whatever information that was sent to developer’s server now falls in hands of the attacker. Advanced attackers can also directly modify the app’s internal logic, i.e., adding rooting utility, declaring additional permissions, or dropping malicious APK file, to escalate their capabilities.”