Palo Alto Networks uncovers new type of Android infection

Palo Alto Networks has reported the discovery of that apps on Google Play infected with tiny hidden IFrames that link to malicious domains on their local HTML pages. An Iframe, or inline frame, specifies a document that is embedded in another HTML document.

According to Palo Alto Networks, the infected apps do not cause damage to Android users but point to a novel way for platforms to be ‘carriers’ of malware. The 132 apps belonged to seven, unrelated developers, all geographically connected to Indonesia. The most popular app had more than 10,000 installations alone. Investigations showed that the developers of these infected apps are likely to be victims themselves, as their development platforms were infected with malware that searches for HTML pages and injects malicious content at the end of the HTML pages.

Source: Palo Alto Networks Unit 42 blog. A subset of the infected apps.

The infected apps included apps for design ideas ranging from cheesecake, to gardening and coffee tables. What the apps had in common was that they all used Android WebView to display static HTML pages. At first glance, each page loaded locally-stored pictures and showed hard-coded text. A deeper analysis of the HTML code revealed an IFrame that links to well-known malicious websites. The IFrame is hidden by either specifying a width of one pixel, or through setting a display function to 'none'.

One of the infected web pages also attempted to download and install a malicious Microsoft Windows executable file at the time of page loading, but the malware could not execute as the Android devices were not running Windows.

Palo Alto Networks has since shared its findings with the Google Security Team and the infected apps have been removed from the Google Play app store.

Interested?

Read more in Google Play Apps Infected with Malicious IFrames on the Palo Alto Networks Unit 42 blog