Google Play Yanks Android Apps Carrying Windows Malware

A total of 45 different Android apps were recently removed by Google from the company’s Play Store after it discovered that the applications were carrying malicious Windows .exe (executable) files, according to Palo Alto Networks.

A group of researchers from Palo Alto revealed that the vast majority of the affected apps had essentially been uploaded to Google’s Play Store sometime between October and November of last year, and they had remained in the Play Store for more than six months. After being alerted about the malicious apps, Google immediately took action and removed all of them.

Although the apps in question did not pose any threat to the users who had actually downloaded and installed them on their Android devices, the malicious code contained in the Android package kit (APK) was evidence of the risks that supply chain attacks can pose. The developers of these apps had essentially built them on Windows systems that had been comprised.

A few of the affected apps had already reached more than 1000 downloads and had obtained 4-star ratings before Google was able to identify and ultimately remove them.

It was also uncovered that a number of the affected APKs housed numerous malicious PE files all at different locations and with different names. Nevertheless, embedded within most of the infected apps, two malicious files were discovered.

One of these malicious files had successfully infected 142 APKs, and the other file was found to be present in 21 APKs. Also, the security researchers located a total of 15 applications containing both of the PE files, as well as a few APKs containing multiple other malicious PE files.

The security firm also noted that the one malicious PE file infecting the vast majority of the applications was essentially a keylogger. The program had been actively trying to log keystrokes, with the inclusion of sensitive personal details such as passwords, social security numbers, and credit/debit and other payment card data.

The files utilize phony names in order to seem legitimate, such as: my music.exe, Android.exe, js.exe, COPY_DOKKEP.exe, gallery.exe, css.exe, msn.exe, and images.exe.

Comments on this article? Please leave them below:

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients