• Unit 42
  • Hidden Devil in the Development Life Cycle: Google Play Apps Infected with Windows Executable Files

Hidden Devil in the Development Life Cycle: Google Play Apps Infected with Windows Executable Files

Unit42 Logo

By , , and

Category: Unit 42

Tags: ,

Last year, Unit 42 reported a number of Google play apps infected with malicious IFrames in this report. Recently, we found similar cases on Google Play. However, this time, there are 145 Google Play apps infected by malicious Microsoft Windows executable files instead of malicious IFrames. We have reported our findings to Google Security Team and all infected apps have been removed from Google Play.
Notably, the infected APK files do not pose any threat to Android devices, as these embedded Windows executable binaries can only run on Windows systems: they are inert and ineffective on the Android platform. The fact that these APK files are infected indicates that the developers are creating the software on compromised Windows systems that are infected with malware. This type of infection is a threat to the software supply chain, as compromising software developers has proven to be an effective tactic for wide scale attacks. Examples include, KeRanger, XcodeGhost, and  NotPetya.
Most of the infected apps were released to Google Play between October 2017 and November 2017, which means these apps have been in Google Play for more than half a year. Among these infected apps, several have more than 1,000 installations and 4-star ratings.
Google play_1

Figure 1: An infected app with 1000+ downloads and 4.0 rating

Interestingly, we saw a mixture of infected and non-infected apps from the same developers. We believe the reason might be that developers used different development environment for different apps.
Some of the infected apps include “Learn to Draw Clothing”, an app teaching people how to draw and design clothing; “Modification Trail”, an app showing images of trail bike modification ideas; “Gymnastics Training Tutorial”, an app letting people find healthy ideas for gymnastic moves.
Google play_2

Figure 2: Apps from one developer (marked) are infected with Windows keylogger

Among these infected apps, one APK file may contain multiple malicious PE files at different locations, with different file names. However, there are mainly two PE files embedded across all of the infected apps.
According to the analysis results from WildFire, one PE file has infected 142 APK files including those apps on Google Play.  The second PE file infected 21 APK files. 15 APK samples of them have both PE files mentioned above inside. Among these infected APK bundles, we found a number of other malicious PE files inside. These developers’ machines may be seriously infected by various malware families.
After investigating all those malicious PE files, we found that there is one PE file which infects most of the Android apps, and the malicious activity of that PE file is key logging.  On a Windows system, this key logger attempts to log keystrokes, which can include sensitive information like credit card numbers, social security numbers and passwords. Besides, these files fake their names to make their appearance look legitimate. Such names include “Android.exe”, “my music.exe”, “COPY_DOKKEP.exe”, “js.exe”, “gallery.exe”, “images.exe”, “msn.exe” and “css.exe”.­
During Palo Alto Networks’ WildFire analysis, the malicious PE files have the following suspicious activities when executed on a Windows system:

  • Creates executable and hidden files in Windows system folders, including copying itself
  • Changes Windows registry to auto-start themselves after restarting
  • Attempts to sleep for a long period
  • Has suspicious network connection activities to IP address via port 8829

Potential Damage and Mitigation
The malicious PE files cannot directly run on the Android hosts. However, if the APK file is unpacked on a Windows machine and the PE files are accidentally executed, or the developers also issue Windows-based software, or if the developers are infected with malicious files runnable on Android platforms, the situation will go much worse.
Customers of Palo Alto Networks are protected by our WildFire and Traps for Android. WildFire is able to automatically detect these infected apps. Traps for Android protects Android devices, it automatically intercepts malicious apps installed on the device by leveraging WildFire and protect the device from malicious apps by blocking the app and notifying the user.
The development environment is a critical part of the software development life cycle. We should always try to secure it first. Otherwise other security countermeasures could just be attempts in vain.
We would like to thank Ryan Olson from Palo Alto Networks for their assistance during the analysis.
PE files found in the infected apps:
The following infected APK files were found on Google Play.

SHA256 App Name Package Name
1896ed8d12f5a7c3046acd929e64cc97e8acb020e40c1b3a2001b30003f50883 Baby Room com.KamarBaYi.odieapps
290b7f930361d06e8f8c93aa9f97405d6b4b9fef7f9ac13c3c73c8966cf0e83a Motor Trail com.MotorTraiL.odieapps
b2fec79084611ad8abed3354399b2e759e903ec15976b9d10ac05e548964a1e9 Tattoo Name com.TatToNaMa.odieapps
b828b870a317693a0ae0544b9d0ffddcf6442da4d1979f6f8ccafcbe5c96d1e3 Car garage coml.GaRaSiMobiL.odieapps
86661a4a611484f8db2593bfae241db9b53274a1736ec668335f878ed24795e4 Japanese Garden com.TaMaNJapanG.odieapps
79e77835c9690ca0bc6d376659dd15f50e396bbc573fcc7293d458d8002f6a60 Koi fish com.IkanKoI.odieapps
91bb8594e118338f38de22e96e89cc5e11d619da3ec3dc0ecada13720111a588 House Terrace com.TeRaSRumaH.odieapps
c41a8edaa85344e48a75843447358ea7a092fe1061bca79ac535abf467112eda Skirt Design com.DesainRokK.odieapps
52d9df500ae7684d58c2bf65fb6852da1440e79b07a049f72585ccf8665e9d64 Yoga Meditation com.MeditasiYoga.odieapps
21fce35139cfdf1145855987b6e3306adf26c3b60ba59b1c364a3d7d44bc5285 Shoe rack com.RaKSepatU.odieapps
4739a7d1317fee0a7a885a00468d9749bb7da5c5f1696408deaa736fa2aab6e9 Unique T-shirt com.KaoSUniK.odieapps
bc49cec1896f7f4542ff8712da8475bf5e55abe7558918c260492467eb03ef6f Mens Shoes com.SepatuPriA.odieapps
7345975ca29d16e3b55309e84f6249990878482ed55e597269fdd0cb77a290ff TV RuanG TaMu com.TVRuanGTaMu.odieapps
ecb04d5359949bfbbc64fd7bedd8fde3a5b9703784fea8d758a3a643117165b0 Idea Glasses com.IdeaKacamata.odieapps
a21f4e9536dcbcd810fbfcdff8f6cce5b6338f1d5df7ba45abd1a5f4ed8dca76 Fashion Muslim com.FashioNMusLiM.odieapps
41386181f9e7dc8085d6a117607cd79346744d925e5d2ca67759742fbac47e51 Bracelet com.GelangTut.odieapps
fceda65ea8624af018c072c60ed5fcb8b6bb00832fb63559e819463d2ba9db4e Clothing Drawing com.BusanaMenggambar.odieapps
c5b24cf5d348a6fe3ad543f70379c7d9fa60a8e9bac03d6ea387fcdbcbbca932 Minimalist Kitchen com.DapuRMiniMaLis.odieapps
c36e7566e2e92898162006b9922d9d8f450867224b67d2346f70d7e76b1cbae6 Nail Art com.SeNiKuKu.odieapps
0039f9b2faac6146bddc2831fdfa6a03327f77d3954a1a27ab66e6b0b5952a3a Ice cream stick com.StikEzKriM.odieapps
a8687cb35ee453958dc1757608505f3c5a7f137909f517acb7a850316d0e87b4 Roof com.AtapRumaH.odieapps
7da49a0122444b2087a582d142c82375541544fd765f29b9b3f7728e598b54e0 Children Clothes com.BusanaAnaK.odieapps
7312c5ba59f89350b13fe93107233a06c79a68eedff0eb082ef7a5f24bec76e2 Home Ceiling com.PlaFoNRumaH.odieapps
bf00efc96cf3ecdd3069afbbfae53aeb79910848721fe50d64410760790f1a27 PoLa BaJu com.PoLaBaJU.odieapps
892f883d3588ee952888cccb4bb9bb33092f1be924d981e69595a758daca8c86 Living room com.RuanGTaMu.odieapps
5a1693d255e5f487214fd1cd46c0cff8d5375903459c7f87ae17f636fa470e32 Bookshelf com.RakBuKu.odieapps
906cd586d8f7388c1fbb0581b926aa4b2dc5534d460cc3ba011198d26a1dfe16 Knitted Baby com.RajutanBayI.odieapps
96bd87c8bd8772b1f11b3e4771889b4d2d81739cd2ef7494a3ff54fc28e711f6 Hair Paint com.CaTRambuT.odieapps
54380fa8c12f6333a22fd0c728e615e92470565e96c7b39ae2f1d7e30584fc31 Wall Decoration com.DekoraSiDinding.odieapps
b6671808dbc226c11697c54d000b6a30213478c141d96aa4c3d52fa5243cff16 Painting Mahendi com.MelukisMehndi.odieapps
525c515e3e8c0d6007ab79f05a64c42951b440db4ab12f397218efa9692faa84 Bodybuilder com.Binaragawan.odieapps
399058e95153600a471d94309a6c3e87f3851647fb003f6d4289fa5b5df389a4 Couple shirts com.KaosCouple.odieapps
44066a23057ee93bed27737e8f444150c29c68b14bc9b21419f549188e436103 Unique Graffiti com.GrafitiUniK.odieapps
1fcd61a10c170d259fca12e52d1930018adafad5613551b5bbb14987de1c7cfd Paper flower com.BungaKerTas.odieapps
0b85488788f7f83e879f41591d674b50d4daafb60094918391d98f143ba54ddc Night gown com.BaJuTiDuR.odieapps
cb11dd259fa4fc0c1b4ee878cfb3c2df2a0a6ecab83276e33185ba7ce45c46ba Wardrobe Ideas com.IdeLeMaRi.odieapps
4091c8acea954fffd22be4c0675c440cf1fe4620d6659b8d23d8d3a2fc815e20 Dining table com.MejaMakaN.odieapps
9412ca41b7c9aebaeef05fe5c45bf5c5d998e5da44d5a7a495f5ba06c00feea0 Gymnastics com.LatiHaNSeNaM.odieapps
761032267b9659cd04676fce55e602a87e43cb4c75c58fa61486cc73da0016c6 Use Child com.PakaiAnAnak.odieapps
14bffba23e2bf4a61b4a54f1ef5027225290eab7f10d4c663570629e456cf51e Window Design com.DesainJenDeLa.odieapps
5dca7151c50ce88102b1fc5c0dd984c57202ad7c67f25be231d64cf1d52da437 Hijab StyLe com.HijabStyLe.odieapps
3350f4eb55c2f00c1ba0380044a1a6670a4eddc5cbabf903f2ad2e266eab58d2 Wing Chun com.TeknikWingChuni.xsadroid
c99a6e7e5d066076bacfad9142e3cf01855525782d638ccfe9ce7cd57d11ca5c Fencing Technique com.TeknikAnggar.xsadroid


  1. Dharmesh Shah says:

    Pls treat me as a newbie,
    If I am not mistaken, this PE affects only the “developers” Windows Machine.
    The ones who download the APK, Unpack it on their windows, and then execute some parts of it –> Correct ?
    What happens to Ordinary Users, who perhaps , just mistakenly download & Install the APK on their android, but dont unpack anything , nor explicitly copy the files.
    They just connect the phone to their windows machine for copying their contacts/videos/photos
    Are they vulnerable too ?

  2. Christopher Budd says:

    This shouldn’t be an issue for ordinary users. To get the Windows malware from the Android device to a Windows machine would require a number of sophisticated, manual steps that ordinary users won’t engage in.
    For all intents and purposes, they aren’t vulnerable to the malware on Windows. And as we noted, the malware is inert on Android.
    Thanks very much for reading.

Leave a Reply

Your email address will not be published. Required fields are marked *

Get updates on Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit 42

Follow us on