Xavier pointed me towards a new issue posted on Palo Altos Unit 42 blog - the folks at PA found apps in the Google Play store infected with hidden-iframe type malware. 132 apps (so far) are affected, with the most popular one seeing roughly 10,000 downloads. But were not at the end of the trail of breadcrumbs yet .. these apps were traced back to just 7 developers, who arent in the same company, but all have a connection to Indonesia (the smoking gun here was the code signing certificate). But wait, were *still* not at the punchline.
Two more facts to throw into the pot - the malware that the app downloads is a windows executable, so this is unintentional - the developers in question would know that a windows PE wont run on their android platform. The malicious apps also point to sinkholed domains, so they are doubley ineffective. The theory so far is that these 7 developers have all downloaded an infected IDE (Integrated Development Environment) or APK packager, which then infects all of their subsequent android apps.
If this sounds like last years XCodeGhost issue to you (where Apple devs pulled unsanctioned, infected code libraries), you are not alone. Because of their position in the food chain, developers especially need to be careful about what they download, and what ingredients go into making their apps. This means libraries, compilers, IDEs - everything that goes into the pot to make the soup that becomes their app. One infected tool or library can easily affect thousands or millions of end users. Luckily todays issue ends up being a bit of a non-issue - - the malware simply is not effective on the platform its being delivered to. However, if it had been written a bit more cleverly, or been more targetted, it could have become a decent android worm, or the android app could have become a carrier for a plague on windows or OSX hosts. Hopefully its a wake-up call for folks to build their apps using libraries and code directly from the source - a free download generally means that youve just become the product (or the vector to get to the end product).
Kudos to Xiao Zhang, Wenjun Hu and Shawn Jin from Palo Alto Networks for their excellent sleuthing and write-up. They in turn acknowledge Zhi Xu and Claud Xiao from Palo Alto Networks as well as the Google Security team for their help in piecing this together. Full details here: http://researchcenter.paloaltonetworks.com/2017/03/unit42-google-play-apps-infected-malicious-iframes/
===============
Rob VandenBrink
Compugen
