Recently, Quick Heal Security Labs found an Android application present on the Google Play Store which was infected by Windows malware. The application is meant for Gionee SmartWatch configuration and visualizing the data through App. On further analyzing the App, we found few HTML files which were infected with Windows malware. These infected HTML files were present in the asset folder of APK. This isn‘t the first time that an Android APK is infected with Windows malware, as there are similar findings from the other researchers as well. But this is first that an official app from a known company is infected. The infected app was developed and uploaded to the Google Play Store by Gionee – a Chinese smartphone manufacturer.
We suspect, the App developer’s environment might have been infected already, and it further made its way in the APK bundle while uploading the app on Play Store.
On further analysis of HTML files, we noticed that some VBScript code is appended at the end of the HTML file, as shown in Figure 3. The VBScript has an encoded code of windows executable and code to dump it into an executable file. It drops this payload in a file with the name “svschost.exe” and gives a call for execution. As the VBScript is a Microsoft Windows scripting language, and it will not get executed on the Android platform.
In windows this kind of malware is categorized as Infectors, these malware targets the EXE, DLL and HTML files and infects them by appending malicious code. For the technical analysis of this type of Infector, you can visit “Ramnit Malware: Improvising its weapons” blog post.
We reported this app to Google’s Android Security team on 20th February 2020 and Google was quick enough to remove the infected app from the Google Play Store after revalidating our claim. The App developers have taken necessary actions and a new, clean version of the application is available on the Play Store. Though this application may not be directly harmful to the Android devices, it contains files that are harmful to other platforms. Google categories such applications as Non-Android threat.
Details about the infected G Buddy App
App Name:G Buddy – Smart ‘LIFE’
App Version : 1.0.11
Package Name: com.gn.fitness
App MD5: 203ceed411b0b58ea7967084fe7d6816
Google play link
*Respective trademarks are owned by respective third-party trademark owners