SonicWall Security Center
Share: Linkedin Share Facebook Like
Back to SonicALERT


Old windows malware still follows its orders, lands up on Android devices with a hidden iframe (March 06, 2017)



Description


Sonicwall Threats Research team received reports that multiple Android apps harboring malicious iframes were spotted on the Google Play store. As we investigated this threat we realized that things aren't always what they seem to be. Let's take a quick trip to the past with regards to a specific threat to understand things further.

Past Crimes

A quick search for brenz.pl reveals a number of results online, some of them dating back to 2009. Malware writers have used this domain for drive-by attacks - in which malicious executables are hosted on a domain and unsuspecting users are tricked into clicking/visiting said domain thereby infecting their machines.

  • 2009 - Mcafee posted an analysis report of a malware infection that tries to connect to brenz.pl and has hidden iframes
  • 2010 - Multiple reports (report 1 and report 2) surfaced from people with concerns that their websites were being flagged as malicious by Google. Upon investigation they discovered an iframe hidden in html pages pointing to brenz.pl
  • 2011 - Sucuri reported multiple infections from web pages with injected iframes that would lead victims to download malicious executables. The following iframe pattern was visible in most of the cases:
    iframe style='height:1px' src='hxxp://www.Brenz.pl/rc/' frameborder=0
  • 2016 - Upon purchasing a security camera from Amazon, Mike Olsen opened the configuration page for this camera and found something odd. He saw an iframe in the configuration page which had the similar format as described above. Here is the original post
  • 2017 - Yet again we see a resurgence of brenz.pl but in a much unexpected environment
Present day

We observed reports of multiple Android apps which contained the infamous iframe that redirects to brenz.pl, upon investigation we found a number of Android webview apps infected by this iframe. Android webview is a Chrome powered component that allows Android apps to display content in an app that pulls data from the web. Thereby these apps are simple in nature, most of these infected apps simply display a set of images stored locally by the app:




Thse apps by themselves are not malicious, they just contain this iframe in the index.html page which is stored in the assets folder. Below image shows the code containing the iframe in index.html:


However we observed another strain of similar iframe Android apps with one difference, these apps contained something in addition to an iframe tag - a VB Script. The image below shows yet another Android webview app which contains iframe component, similar to the apps discussed above, but additionally contains a VBScript:

Clearly this script is instructed to drop an executable on the system, but why does an Android app contain a html page that would drop a Windows executable on an Android device? Something does not look right.

We imported the Hexadecimal data present in WriteData component and saved it as an executable on a Windows machine and opened it, analysis of its behavior gives a much needed clarity to this entire story.

The Windows connection

Upon execution, this malware (detected as GAV: Virut.HT (Trjoan)) searches html files on the system and makes a small addition to them, it adds the same malicious iframe and VBscript found on the Android device (index.html) from which we retrieved the executable. Below image shows how a benign html page is converted to one with malicious content:


Below image shows an instance where the malware infected html pages present in Adobe Reader folder on the system:

We can fairly assume what might have transpired:

  • The developer in question created the Android web view apps on his system which was infected by Virut malware
  • As we saw earlier, the malware searches html pages on the system and infects them
  • The malware caught the html page created by these Android apps and added the iframe component
  • These apps were later released thereby this threat made its way to Android devices
As Android does not provide any means for Windows based executables to execute, this infection does no spread any further. But this behavior shows a very important feature of malware - its tenacity to obey the instructions. The original malware writer might not have thought about this scenario of spreading the malware on Android devices, yet it happened, owing to the code that specifically instructed the malware to infect any html pages that can be found on the infected device.

Overall this threat is an interesting one, the Android apps themselves are not malicious but they harbor iframes that point to a domain that has known to spread malicious content in the past. We may argue that the authors of these apps were not aware about the presence of iframes in the html pages, infact the authors might be victims here as their workstations may be infected when the apps were created.

This is a case where a piece of malware might have spread in unintentional ways. Artificial Intelligence is being hailed as the next frontier, but instances like these make us wonder just how this new technology would impact our lives.

Additional points:

  • brenz.pl is flagged as malicious by Google, we can see a prompt for it on Google Chrome

  • cert.pl has already sinkholed this domain and potentially many more in an effort to thwart Virut, here is a post with more information

  • A note to content creators - if any of your applications contain webpages with similar hidden iframes then most likely your workstation is infected. It would be advisable to clean the machines before publishing any content as your content, even though not intentionally, contains malicious content
  • Always install Android apps from the Google Play store and do not disable the automatic checks for malicious content in place by Google
  • Make sure you have the latest security patches released by Google
SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:
  • GAV: Virut.HT (Trojan)
  • GAV: IFrame.BNZ_2 (Trojan)
  • GAV: AndroidOS.IFrame.DWN (Trojan)
Android APK package names that were analyzed for this post along with their corresponding MD5's:

APK's with just the malicious iframe:
  • com.aaronbalderapps.awesome3dstreetart - 365f63f870712a0046474c200737cff2
  • com.aaronbalderapps.awesomecheesecakeideas - 2894e4f2f66d5f85d561dde63a6f7b33
  • com.aaronbalderapps.babyroomdesignideas - d53a2f554d00026bd9af5d4d33764357
  • com.aaronbalderapps.backyardwoodprojects - c92a2d02f0a610f4087c858f15955de6
  • com.aaronbalderapps.bathroominteriordesigns - 10a97ac50e8965b6a666aa4304c93581
  • com.aaronbalderapps.beautifulbotanicalgardens - db2f580568af363b091088b4b3a8b427
  • com.aaronbalderapps.bedroomdesign5d - 9e6fa2164bc6af43451c2128e676d08f
APK with iframe and VB Script:
  • resep.bolu.ricky - 187107ac934b19a44a880bc9a438ac11
Malicious EXE extracted from the VB Script:
  • f395a1e2c87ea7610c175a17468f32ef
References:
  • https://home.mcafee.com/virusinfo/virusprofile.aspx?key=154055#none
  • http://www.webhostingtalk.com/showthread.php?t=1010284
  • https://forums.phpfreaks.com/topic/198952-hacked/
  • https://blog.sucuri.net/2011/03/brenz-pl-is-back-with-malicious-iframes.html
  • http://artfulhacker.com/post/142519805054/beware-even-things-on-amazon-come
  • https://krebsonsecurity.com/tag/sinkhole-cert-pl/



Back to top

Back to SonicALERT

Follow: Follow us on Facebook Follow us on Twitter Join the Conversation
#SonicWall
© 2017 SonicWall | Privacy Policy | Conditions for use | Feedback | Live Demo | SonicALERT | Document Library | Report Issues
Version: 13.7 | S2MSW01