Security researchers have found traces of Windows malware inside 132 Android apps hosted on the official Google Play Store.
According to security experts, all 132 apps contained a tiny iframe inside the source code of HTML pages showed at some point or another to their users.
This iframe attempted to connect to remote servers and download another payload. All the remote servers were down when researchers came across the infected apps, but servers were known hotspots for malicious activity, being involved in many Windows malware distribution campaigns.
In fact, CERT Poland had sinkholed two of the domains in 2013, after a series of high-profile attacks.
In one isolated case, besides the iframe, the HTML source code also contained a VBScript that attempted to drop a Base64 encoded Windows executable on the user's phone.
Obviously, this file wouldn't be able to do any harm on an Android phone because Android can't execute EXE files.
Palo Alto Networks researchers, who discovered the infected apps, say this EXE file can modify the network hosts file, change windows firewall settings, inject code into another process, and copy itself.
This EXE file and the fact that some iframes connected to four-year-old sinkholed domains convinced researchers that these apps weren't infected on purpose by their developers, but the app developers were the victims of malware themselves.
Palo Alto says developers most likely downloaded malware-laced IDEs that secretly added the iframe code to all the HTML pages they generated, pages which were then included in their Android apps.
Another possible infection method is if developers used web-based app generators that appended the iframes in the HTML code of their apps.
Another theory is that developers were infected with the Ramnit malware, which is known to append hidden iframes in all the HTML files found on a victim's PC.
Researcher also discovered that the seven developers of the 132 infected apps appear to reside in Indonesia, meaning they most likely used a malicious torrent to download an infected IDE, or were victims of a local malware distribution campaign.
Furthermore, it doesn't make sense for Android app developers to drop Windows malware on smartphones or use four-year-old dead domains. No matter how incompetent malware developers can sometimes be, they generally don't make these types of mistakes.
The infected apps were simplistic in nature, and the most popular had around 10,000 active installs, so no widespread harm was done. Google has temporarily removed the apps from the Play Store.
This is not the first time malware-laced IDEs have been used in malware distribution. Back in September 2015, Palo Alto discovered versions of Apple's Xcode code editor that injected the XCodeGhost malware inside iOS apps generated through the IDE, which later made their way onto Apple's App Store.