Back in 2017, researchers discovered 132 Android apps in Google Play Store that attempted to infect users with Microsoft's Windows malware.
Due to its nature as the most diverse (fragmented) mobile operating and also the most popular, it's not uncommon to find infected apps making their way to the Play Store. They are indeed a bad thing. But in this case, the researchers have discovered malware apps that don't actually contain Android malware, and instead homes Windows malware.
In 2018, researchers from a different security company, Zscaler, reported finding 150 more.
Here, the app developers were using the defunct botnet called Ramnit.
First appeared in 2011, the malware had infected millions of Windows PCs around the world, making them the hub for online crimes.
How the malware works, is by adding malicious iframe to every HTML file stored on an infected computer. The iframe then got appended to files that were included in the created Android apps.
And here, similar to 2017, the Ramnit was spawned from a variety of different developers. Although the Ramnit botnet of 3.2 million computers were dismantled in 2015 by a European law enforcement operation and Symantec securities, infections on local machines live on. The Android apps here act as the carrier of the infection.
Zscaler said almost all of the 150 infected apps can be detected using common antivirus engines. So this shouldn't be a big problem for those who kept their systems' security updated. What's more, the two domains in the iframe were already neutralized years ago through a process known as sinkholing, which redirected the traffic from its original destination to others specified.
So here, the malware shouldn't be able to infect an Android device.
But still, this is a proof of Google's inability to detect obviously infected apps on at least two occasions over 12 months.
"This trend of cross-platform infection propagation should be concerning for Android users as the malware author can easily serve platform-specific malicious content based on the device making the connection to the attacker controlled URLs from such infected apps," said Zscaler researcher Deepen Desai.
After being notified, Google have removed the apps from its Play Store..