{"id":88763,"date":"2020-03-30T20:05:50","date_gmt":"2020-03-30T14:35:50","guid":{"rendered":"https:\/\/blogs_admin.quickheal.com\/?p=88763"},"modified":"2020-03-30T21:18:06","modified_gmt":"2020-03-30T15:48:06","slug":"application-found-on-google-play-store-carrying-windows-malware","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/application-found-on-google-play-store-carrying-windows-malware\/","title":{"rendered":"Android application found on Google Play Store carrying Windows malware!"},"content":{"rendered":"

Recently, Quick Heal Security Labs found an Android application present on the Google Play Store which was infected by Windows malware. The application is meant for Gionee SmartWatch configuration and visualizing the data through App. On further analyzing the App, we found few HTML files which were infected with Windows malware. These infected HTML files were present in the asset folder of APK. This isn\u2018t the first time that an Android APK is infected with Windows malware, as there are similar findings from the other researchers as well. But this is first that an official app from a known company is infected. The infected app was developed and uploaded to the Google Play Store by Gionee – a Chinese smartphone manufacturer.<\/span><\/span><\/span><\/p>\n

We suspect, the App developer’s environment might have been infected already, and it further made its way in the APK bundle while uploading the app on Play Store. <\/span><\/span><\/span><\/p>\n

\"\"
\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0Figure 1: G buddy application and its Information.<\/em><\/figcaption><\/figure>\n
\"\"
\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0Figure 2: Reviews from the end-users.<\/em><\/figcaption><\/figure>\n

On further analysis of HTML files, we noticed that some VBScript code is appended at the end of the HTML file, as shown in Figure 3. The VBScript has an encoded code of windows executable and code to dump it into an executable file. It drops this payload in a file with the name “svschost.exe” and gives a call for execution. As the VBScript is a Microsoft Windows scripting language, and it will not get executed on the Android platform.<\/span><\/span><\/span><\/p>\n

In windows this kind of malware is categorized as Infectors, these malware targets the EXE, DLL and HTML files and infects them by appending malicious code. For the technical analysis of this type of Infector, you can visit “Ramnit Malware: Improvising its weapons<\/a>” blog post.<\/span><\/span><\/span><\/p>\n

\"\"
\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Figure 3: Appended malicious code within HTML<\/em><\/figcaption><\/figure>\n

We reported this app to Google\u2019s Android Security team on 20<\/span><\/span><\/span>th<\/span><\/span><\/sup><\/span> February 2020 and Google was quick enough to remove the infected app from the Google Play Store after revalidating our claim. The App developers have taken necessary actions and a new, clean version of the application is available on the Play Store. Though this application may not be directly harmful to the Android devices, it contains files that are harmful to other platforms<\/span>.\u00a0<\/span><\/span><\/span><\/span>Google categories such applications as <\/span><\/span><\/span>Non-Android threat<\/a>.<\/span><\/span><\/p>\n

Details about the infected G Buddy App<\/span><\/span><\/span><\/strong><\/h5>\n

\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 <\/span><\/span><\/span><\/strong>App Name:G Buddy – Smart ‘LIFE’<\/span><\/span><\/span><\/p>\n

\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0<\/span><\/span><\/span><\/strong> \u00a0 App Version : 1.0.11<\/span><\/span><\/span><\/p>\n

\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Package Name: <\/span><\/span><\/span>com.gn.fitness<\/span><\/span><\/span><\/p>\n

\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 App MD5: 203ceed411b0b58ea7967084fe7d6816<\/span><\/span><\/span><\/p>\n

Google play link<\/span><\/span><\/span><\/p>\n

*<\/span><\/span>Respective trademarks are owned by respective third-party trademark owners<\/b><\/i><\/span><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

Recently, Quick Heal Security Labs found an Android application present on the Google Play Store which was infected by Windows malware. The application is meant for Gionee SmartWatch configuration and visualizing the data through App. On further analyzing the App, we found few HTML files which were infected with Windows malware. These infected HTML files […]<\/p>\n","protected":false},"author":60,"featured_media":88788,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[55],"tags":[431,49,1249],"class_list":["post-88763","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-android","tag-android","tag-malware","tag-windows"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/88763"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/60"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=88763"}],"version-history":[{"count":33,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/88763\/revisions"}],"predecessor-version":[{"id":88910,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/88763\/revisions\/88910"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/88788"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=88763"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=88763"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=88763"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

https:\/\/play.google.com\/store\/apps\/details?id=com.gn.fitness&hl=en_IN<\/span><\/span><\/span><\/a><\/u><\/span><\/span><\/p>\n