Android apps found to contain Windows keylogger

Security researchers have found 145 Android apps infected with Windows malware, suggesting they were created on compromised Windows machines.

The researchers, from Palo Alto Networks’ Unit 42, said the findings had been reported to Google’s security team, which had removed the apps from Google Play.

The apps themselves did not pose a threat to Android devices since the malware they contained was designed only to execute on a Windows-based system.

Most of the infected apps were released to Google Play between October 2017 and November 2017, the researchers said.

“Among these infected apps, several had more than 1000 installations and four-star ratings.

“Interestingly, we saw a mixture of infected and non-infected apps from the same developers. We believe the reason might be that developers used different development environment for different apps.”

The most common piece of Windows malware in the apps was a keylogger.

The researchers suggested the infection was a reminder of the importance of securing development environments.

“The development environment is a critical part of the software development life cycle,” they said.

“We should always try to secure it first. Otherwise other security countermeasures could just be attempts in vain.

“This type of infection is a threat to the software supply chain, as compromising software developers has proven to be an effective tactic for wide scale attacks [like] NotPetya.”

NotPetya, which impacted major companies including Maersk and TNT Express, was originally spread through an infected update to a legitimate commercial software product.