The latest batch of apps, like the ones 12 months ago, were spawned from a variety of different developers. The common thread among all the apps: their code was written on programming platforms infected with malware known as Ramnit. Although the Ramnit botnet of 3.2 million computers was dismantled in 2015, infections on local machines live on.
The malware adds malicious iframes to every HTML file stored on an infected computer. Those iframes then got appended to files that were included in the Android apps. Researchers at security firm Zscaler said almost all of the 150 infected apps were detected using common antivirus engines.
The two domains in the iframes were neutralized years ago through a process known as sinkholing. And even if the domains had been active, they would have been unable to infect an Android device. Still, Google’s inability to detect obviously infected apps on at least two occasions over 12 months is a problem.
“This trend of cross-platform infection propagation should be concerning for Android users as the malware author can easily serve platform-specific malicious content based on the device making the connection to the attacker controlled URLs from such infected apps,” Zscaler researcher Deepen Desai told Ars. Google removed the apps after being notified of them.