Malicious Android apps infected with Windows keyloggers pulled from Google Play

145 apps contained underlying executables for Windows systems.
Written by Charlie Osborne, Contributing Writer

Google has pulled 145 apps from the Play Store following the discovery that they were laden with malware intended for Windows machines.

Security researchers from Palo Alto Networks said this week that the majority of the infected apps were released to Google Play between October 2017 and November 2017, which means that many have been lurking in the app store for over six months.

Among the malicious applications were learning and drawing apps, trail bike modification idea software, and gymnastics tutorials. Several have been downloaded over 1,000 times and have achieved four-star ratings.

In total, 145 apps were deemed malicious by the team. However, unusually, the applications did not contain malicious code intended for the Android mobile operating system.

Instead, they contained malicious Microsoft Windows executable files.

This means that the apps are no threat to Android devices -- despite them being available for download in a repository of apps designed for that particular operating system. The code is "inert and ineffective on the Android platform," according to Palo Alto, and will instead only run on Windows systems.

The reasoning behind Android apps being laden with Windows malware is unclear, however, it may be that the developer is creating APK files on a Windows system which has been compromised.

See also: Yale University discloses old school data breach

"This type of infection is a threat to the software supply chain, as compromising software developers has proven to be an effective tactic for wide-scale attacks," the researchers say. "Interestingly, we saw a mixture of infected and non-infected apps from the same developers. We believe the reason might be that developers used different development environment for different apps."

Of particular interest was one PE file which was present in all but three of the malicious apps found in Google Play. This particular file was a keylogger designed for Windows machines.

TechRepublic: How to install the Nextcloud Ransomware protection app

Additional malicious PE files contained code to hide files in Windows system folders, tamper with the Windows registry, and reach out to connect to suspicious IP addresses.

The average user is unlikely to be affected by these applications as the Android operating system is immune. However, if the malicious APK files were unpacked on a Windows machine and executed, it would be a different story.

CNET: Facebook, Google, Twitter execs to head back to Capitol Hill on Sept. 5

"The development environment is a critical part of the software development life cycle," Palo Alto says. "We should always try to secure it first. Otherwise, other security countermeasures could just be attempts in vain."

The findings were reported to Google and the infected apps were quickly pulled from the Play Store.

The best mobile gadgets, tech accessories for frequent fliers

Previous and related coverage

Editorial standards