What Is It?

A recently released report from Palo Alto Networks’ Unit 42 research group described an interesting discovery. They found 145 Android apps on the Google Play Store infected with Windows executable malware. After they were reported to the Google security team, all that infected applications have since been removed from Google Play.

The interesting aspect of this discovery is that the Windows malware poses absolutely no threat to Android devices as Windows executables do not run on Android devices. In order to be infected, it would require a highly unlikely sequence of events to occur. A user would have to download one of the infected APK files to a Windows system, extract the files contained by the APK file (which is a Zip archive) and deliberately or inadvertently execute one of the malicious executable files on their Windows system.

Android AppThe majority of the infected apps were released in October and November in 2017, meaning they have been in circulation for at least 9 months, some of which contained more than one malicious executable.

This is not a case where attackers have compromised a software package in order to distribute malware for that platform, as most famously occurred with the NotPetya outbreak. In NotPetya, an update to the Ukranian MeDoc financial software actually delivered the malware. In this situation, it appears that the Windows workstations or other servers used by developers as part of development process were compromised by malware, resulting in the malicious executables being added to the Android app APK files.

Though the threat posed by this specific example is very low, it highlights how vulnerable the development process is to compromise. This is especially true in app store ecosystems that provide opportunities for small or individual developers to release apps directly, without the security infrastructure and experience large developers may have.

How Does It Propagate?

The malware does not self-propagate.  The attack vector appears to be developer’s workstations or servers which have already been compromised by Windows malware.

When/How Did BluVector Detect It?

The report listed 43 samples of Android APK files containing Windows malware and 22 unique samples of the Windows malware itself. BluVector’s patented Machine Learning Engine (MLE) detected 100% of both groups of samples. Regression testing has shown the infected Android APK files would have been detected an average of 17 months prior to their release and the Windows malware samples an average of 23 months prior. Note: BluVector would only detect the malware if the Android device was connected to a corporate network monitored by BluVector.