Recently, 360 Beaconlab detected 2 apps with malicious PE files in the Google Play app store. Both apps are owned by the same developer with over 10,000 installations for each.
Our analysis found that a PE file named assets.exe exists in the assets folder of the two APP files. the main malicious behaviors include:
- Use the folder icon as a disguise and is developed with AutoIt scripts;
- The malicious PE file can modify the registry, hide the extension of both hidden files and known files, and it can also create a self-starting item;
- Traverse the files on the user's hard drive, hide the folder, and rename itself to the a hidden folder; In addition, the malicious file has been infected by infective virus. The virus can be loaded and spread in the local host and the local area network (LAN) before running the exe file.
The PE file has been detected by 360 and multiple AV software. Currently, no code fragments are founded in the application code on Google Play that calls the malicious PE file. It is suspected that it was the developer’s device used for compiling and packaging that has been infected.
- March 8, 2019 360 Beaconlab detected the malicious apps on Google Play and reported to Google.
- March 9, 2019 Google confirmed that the two apps were classified as PHA (Potentially Harmful Application) and were no longer available on Google Play.
- March 11, 2019 360 Beaconlab released the report.