More Than 150 Android Apps Tried to Infect Phones with Windows Malware

More Than 150 Android Apps Tried to Infect Phones with Windows Malware

Usually, finding malware in the Google Play Store would be a bad thing. Finding several hundred apps with thousands of downloads would be substantially worse, but in this case, it’s no big deal. The newly discovered malware apps don’t actually contain Android malware — they have Windows malware. Oops.

Security researchers with Zscaler detected the first infected app several days ago, but then more than 150 more with the same signature popped up upon further investigation. As it happens, these apps are carrying the same malicious Windows payload discovered in Android apps last year. This likely isn’t an example of bumbling malware creators loading the wrong code. Rather, the developers were using machines infected by a now-defunct botnet called Ramnit.

The Ramnit botnet first appeared in 2011, but it was taken offline in 2015 by a European law enforcement operation. At its height, Ramnit ran on nearly a million Windows PCs around the world and served a hub for online crime. While the botnet itself is dead, there are still local infections living on PCs around the world. One feature of Ramnit was the way it burrowed into programming platforms. Apps built on these platforms would end up as a carrier of the infection, and that’s what we see appearing in the Play Store.

The malicious iframes.
The malicious iframes.

These Android apps contain malicious iframes that can load a domain with potentially dangerous code. On a Windows machine some years ago, the Ramnit botnet operators could use these domains to infect new computers and increase the size of the botnet. Today, these apps are little more than harmless relics. The 150 apps were mostly low-effort web wrappers and image galleries, and only a handful of developers were represented. It’s likely these multiple developers were actually a single team all using the same infected systems to develop their apps.

Android users need not fear the Ramnit-infected apps for several reasons (even more than usual). Most importantly, this is Windows malware that cannot negatively impact Android devices. There’s no exploit for Android here. In addition, the malicious domains from the iframes were blocked by DNS servers in 2015, a practice called sinkholing. And finally, Google responded to Zscaler’s report by removing all the offending apps. While they weren’t a danger to Android users, malware is malware. Even if you go looking for the apps listed by Zscaler, you’ll just get an error page. The developer accounts associated with the apps appear to be gone as well. Better safe than sorry.

Continue reading

MSI’s Nvidia RTX 3070 Gaming X Trio Review: 2080 Ti Performance, Pascal Pricing
MSI’s Nvidia RTX 3070 Gaming X Trio Review: 2080 Ti Performance, Pascal Pricing

Nvidia's new RTX 3070 is a fabulous GPU at a good price, and the MSI RTX 3070 Gaming X Trio shows it off well.

Huawei Sells Honor Brand Amid Tightening Trade Restrictions
Huawei Sells Honor Brand Amid Tightening Trade Restrictions

(Credit: Kevin Frayer/Getty Images)Huawei has been battered by US trade restrictions in the last few years, and it’s taking a toll on the company’s long-term stability. Experts don’t expect a radical change when the new US administration comes to power next year, so Huawei is beginning to take drastic action. It has sold its Honor…

IBM, Fujifilm Set New Areal Density Record With 580TB Tape Cartridge
IBM, Fujifilm Set New Areal Density Record With 580TB Tape Cartridge

IBM and Fujifilm have announced a breakthrough that might one day enable tape cartridges at 580TB capacities or more.

Samsung’s 870 EVO SSDs: SATA Strikes Back
Samsung’s 870 EVO SSDs: SATA Strikes Back

Samsung's new 870 EVO is one of the fastest SSDs around — and if you need a drive in a 4TB flavor, the price isn't too bad, either.