The Ramnit worm (W32.Ramnit) was an aggressively propagated Windows-based worm that first appeared around 2010. Its creator used an extensive range of propagation techniques to ensure that it spread quickly and widely. Once it infects a computer, it copies itself to all attached and removable drives. Crucially, it also searches for and infects .exe, .dll, .htm, and .html files, a tactic that helps with both propagation and persistence.
The HTML file infection process uses two tactics: injecting VBScript code into an HTML page that drops and executes the worm, and also injecting a hidden iframe into HTML files that downloads a remote file if the page is opened in a browser.
Because of its successes, Ramnit was the target of coordinated law enforcement action in 2015 when Symantec worked with Europol and a number of industry partners to seize and take down the botnet infrastructure, which greatly reduced the global footprint of the botnet.
Ramnit for Android?
Due to its aggressive methods of propagation, Ramnit has been known to turn up inside Android apps from time to time even though it does not actually run on Android. In March 2017, we were aware of over 100 similarly infected apps that were removed from Google Play. Recently we’ve seen yet another wave of new Ramnit-infected apps turning up there. The latest wave involved 92 distinct apps with a total of 250,000 downloads between them.
In the recent batch, one of them was an educational app from Lesmana Studio, and other ones were various design tutorial apps from a developer called Arroya Apps, which no longer seems to be on Google Play.
On the face of it, this seems odd. Has Ramnit been ported to Android and is now being spread through Google Play? Things may not be quite as they seem.
Despite the setback many years ago, Ramnit’s operators have not completely gone away and there also seem to be many latent infections worldwide. What’s most likely happening here is that there are a number of Android app developers who are developing and building on infected computers or unknowingly bundling infected files into app bundles that are then submitted to Google Play for inclusion in the store. We know that Google has a system in place for vetting uploaded apps, but we don’t have visibility into the processes for vetting submitted apps, so we can’t say for sure why these infected apps are getting through the vetting process.