Ransom notes from Cerber ransomware infections have been found inside the source code of two Android applications available on the official Google Play Store.
The apps aren't infected per-se, but they popped up on ESET's security scanner during a routine check.
"Our scanner picked up the Cerber ransomware leftovers, which is fine for Windows malware, but this was detected inside an Android app, and that’s unusual and bit weird," Stefanko told Bleeping Computer.
"I investigated this particular app, [...] and tried to identify what precisely is detected as Cerber Ransomware," the researcher added. "Fortunately, there was only a Cerber ransom note that triggered the scanner, and not actual payload."
Bleeping Computer also took a look at these two apps as well. What ESET's malware scanner picked up was a file named README.hta, the standard Cerber ransom note, which the ransomware drops on the computers of infected victims.
There is no danger for the users of these two apps or any other Android device owner since Cerber is a ransomware family designed to work only on Windows computers.
Furthermore, there is also no danger for Windows users either, since the ransom note file won't infect other computers. HTA (HTML Application) files have been used to spread ransomware, but these two ransom note files aren't weaponized with any attack code.
Ransomware ransom note files are generally benign. Antivirus vendors usually detect these files as a sign of an already existing infection, even if the files are harmless.
These two Cerber ransom notes only show information to victims on how to pay the ransom and recover their files. Based on the Tor payment site URL found in the ransom note, we discovered that this version of Cerber was active between September and December 2016.
There are different theories on how the Cerber ransom note ended up in the source code of the two apps.
On Twitter, Stefanko said he suspected the developer might have suffered a Cerber ransomware infection himself.
Since Cerber drops ransom notes in every folder it encrypts files, infected computers are riddled with these ransom notes. Infected victims can use an app like Michael Gillespie's RansomNoteCleaner to remove these ransom notes, after they paid the ransom. If the app developer didn't use anything similar, then it's very likely that he might have had Cerber ransom notes laying around in his app's icon folder.
Another theory is that the designer of the icons (used for the app) was infected with Cerber. Since the ransom note is named README, most people who downloaded the icons would think it contains the icon package's license information, and wouldn't even bother opening the file before copy-pasting it into a new location (like an Android app).
The Italian app developer might have copied the leftover ransom note with the rest of the images in the Android app's /assets folder when he assembled his app, without even noticing the README file.
The apps' developer did not respond to a request for comment in time for this article's publishing.