Contributors: Shaun Aimoto, Martin Zhang
The Ramnit worm (W32.Ramnit) was an aggressively propagated Windows-based worm that first appeared around 2010. Its creator used an extensive range of propagation techniques to ensure that it spread quickly and widely. Once it infects a computer, it copies itself to all attached and removable drives. Crucially, it also searches for and infects .exe, .dll, .htm, and .html files, a tactic that helps with both propagation and persistence.
The HTML file infection process uses two tactics: injecting VBScript code into an HTML page that drops and executes the worm, and also injecting a hidden iframe into HTML files that downloads a remote file if the page is opened in a browser.
Because of its successes, Ramnit was the target of coordinated law enforcement action in 2015 when Symantec worked with Europol and a number of industry partners to seize and take down the botnet infrastructure, which greatly reduced the global footprint of the botnet.
Ramnit for Android?
Due to its aggressive methods of propagation, Ramnit has been known to turn up inside Android apps from time to time even though it does not actually run on Android. In March 2017, we were aware of over 100 similarly infected apps that were removed from Google Play. Recently we’ve seen yet another wave of new Ramnit-infected apps turning up there. The latest wave involved 92 distinct apps with a total of 250,000 downloads between them.
In the recent batch, one of them was an educational app from Lesmana Studio, and other ones were various design tutorial apps from a developer called Arroya Apps, which no longer seems to be on Google Play.
On the face of it, this seems odd. Has Ramnit been ported to Android and is now being spread through Google Play? Things may not be quite as they seem.
Despite the setback many years ago, Ramnit’s operators have not completely gone away and there also seem to be many latent infections worldwide. What’s most likely happening here is that there are a number of Android app developers who are developing and building on infected computers or unknowingly bundling infected files into app bundles that are then submitted to Google Play for inclusion in the store. We know that Google has a system in place for vetting uploaded apps, but we don’t have visibility into the processes for vetting submitted apps, so we can’t say for sure why these infected apps are getting through the vetting process.
Will it impact me?
As stated earlier, Ramnit is a Windows-based threat, so it does not actually run on Android devices. In the vast majority of use cases, Android owners who use Windows with an infected device are safe. You have to connect your device to a Windows computer, navigate to and open the infected HTML file in a browser in order for the Windows infection to take place.
Symantec customers are already protected from this issue. Our Norton Mobile product will protect against this and other threats so the infected app doesn’t even get onto your device, let alone onto a Windows computer that you hook your phone up to.
Figure. Norton Mobile warning of an infected app
Windows-based computers running Symantec security solutions are already well protected against Ramnit.
While this particular incident poses little risk to Symantec customers, it does highlight a potential weakness in the app vetting process and unless the gap is filled, this propagation technique may provide opportunities for new malware in the future.
We have informed Google of the presence of these apps on Google Play and it has removed them from the store.
To protect against this kind of threat on mobile devices, Symantec recommends users observe the following security best practices:
- Keep your software up to date
- Refrain from downloading apps from unfamiliar sites
- Only install apps from trusted sources
- Pay close attention to the permissions requested by an app
- Install a suitable mobile security app, such as Norton, in order to protect your device and data
- Make frequent backups of important data
Symantec and Norton products detect the Ramnit worm as the following: