132 Android Apps Found To Contain IFrames That Link To Malicious Domains

More than a hundred Google Play apps have been found to be infected with tiny IFrames hidden in local HTML pages that link to malicious domains.

Palo Alto Networks security team found that 132 Android apps on the Google Paly store were infected with such a cyber security threat, with the most popular of the affected apps having been installed more than 10,000 times.

Palo Alto’s researchers noted that the cyber security risk appears to stem from the platforms developers of the infected app use, rather than flaws in the apps themselves or malicious action by the software makers.

Dodgy apps

“Our investigation indicates that the developers of these infected apps are not to blame, but are more likely victims themselves. We believe it is most likely that the app developers’ development platforms were infected with malware that searches for HTML pages and injects malicious content at the end of the HTML pages it finds,” noted Xiao Zhang, Wenjun Hu and Shawn Jin from Palo Alto.

“If this is this case, this is another situation where mobile malware originated from infected development platforms without developers’ awareness. We have reported our findings to Google Security Team and all infected apps have been removed from Google Play.”

The infected apps were found to all use the Android WebView developer tool which allows for static web pages to be displayed within an app. Palo Alto’s researchers noted that at first glance the web pages do little other than load locally stored pictures and display hard-coded text, but behind the scenes and embedded deep in the HTML code tiny IFrames lurk to link to well-known malicious domains.

IFrame Android app threat

As the malicious domains were found to be down at the time of Palo Alto’s investigation, the threat does not appear to have been substantial, but the researchers noted it could cause problems for other platforms.

“What is more notable is that, one of the infected pages also attempts to download and install a malicious Microsoft Windows executable file at the time of page loading, but as the device is not running Windows, it will not execute,” they explained.

“This behaviour fits well in the Non-Android Threat category recently released by the Google Android Security. According to the classification, Non-Android Threat refers to apps that are unable to cause harm to the user or Android device, but contains components that are potentially harmful to other platforms.”

As such the IFrames do not directly affect Android devices but could act as carriers for malware which could be transferred to other devices and platforms that can see the links in the IFrames get executed and direct people to dodgy domains or allow for exploits to be used to carry out other malicious activity.

“It’s easy to envision a more focused and successful attack: an attacker could easily replace the current malicious domains with advertising URLs to generate revenue. This not only steals revenue from app developers, but also can damages the developers’ reputation,” Palo Alto’s researchers said.

“Secondly, aggressive attackers could place malicious scripts on the remote server and utilize the JavaScriptInterface to access the infected apps’ native functionality. Through this vector, all resources within the app would be available to the attackers and under their control.”

Sadly infections in Android apps are nothing new, with malware like DressCode being found to have infected hundreds of apps. 

Are you a security pro? Try our quiz!