Android App Contains Windows Worm

When developers are unaware of security they open the door to threats against their customers and users. We are not just talking about exploitable vulnerabilities in their code, but about something much more obvious than that.

Here is the curious case of an Android application on Google Play that contains some traces of malware, but poses no security danger for Android devices. This same application, however, is dangerous to other mobile and PC platforms.

Embedded inside this APK file, McAfee Labs found a Windows worm (Generic Malware.og!ats) that replicates itself via network shares. There is no auto-execution option for the malware on a Windows PC, but a user could run the malicious application by opening the APK (in Zip format) and running the program. This PC malware resides in each Android device that has installed the “KFC WOW@25 Menu” app.

Windows Malware on Google Play

When a legitimate Android application contains a malicious file such as this one (for a Windows PC), it is likely this has occurred due to neglect on the part of the developer. This neglect can be as simple as not securing the development environment.

The developer of this app possibly had outdated antimalware software on the computer, so without realizing that the computer was infected, the source code directory contained a copy of the worm. From there the worm was packaged, signed, and deployed on Google Play, with the developer completely unaware of the file.

code_Windows Malware on Google Play

Windows malware executable file is signed by the developer of the Android app.

Even though this may seem like a low risk and the application has been removed from Google Play, it still poses a risk to consumers.

Another interesting and similar case comes in the form of an infected HTML file containing malicious JavaScript code. This HTML exists within a preinstalled email application present on many Android tablet devices.

html_Windows Malware on Google Play

Email application in the tablet “Joy Tab Gem10312BK.”

We believe malware running on the developer’s PC is capable of infecting all HTML files with this JavaScript, including any ready to be packaged inside an Android app!

The lesson for developers is clear. It is vital to remember the essentials for a secure computer: maintain updated antimalware software, especially if you intend to distribute content to other users.

The cross-platform McAfee antimalware suite protects against these types of threats and alerts customers and developers to prevent infections. McAfee detects these Android applications on Windows platforms.