Repackaging HTML5 Apps into Android Malware

Predictably, with the finalization of HTML5 standard by World Wide Web Consortium (W3C) last October, there will be a rapid growth of new HTML5 web apps coming out in the near future. Considering the platform independent characteristic in web apps, we foresee that HTML5 will accelerate the repackaging from web apps to mobile apps for malicious intent.

A Quick Overview of HTML5 Android Apps

According to our monitoring, the amount of new HTML5-packaged apps coming to the Android platform increased by 200% in 2014 from its numbers in 2013. The numbers have noticeably gone up to 600% from its original count in 2012.

Figure 1. Distribution of new HTML5-packaged apps in Android from 2012 to 2014

We noticed that the amount of HTML5 packaged malware or potentially unwanted apps (PUAs) were also on the rise. Almost 50% of these mobile malware/PUAs were disguised as games.

Figure 2. Distribution of new HTML5-packaged malware/PUAs seen in Android from 2012 to 2014

One example of mobile malware/PUA is the app pretends to be a legitimate game called Tiny Rifles (package: com.html5.game2), an HTML5 game. Accessing the fake game on a browser loads the HTML5 game webview but also injects aggressive Adware SDK into the code. The malicious app has since been removed from Google Play. We detect this as a potentially unwanted app (PUA).

Figure 3. Fake Tiny Rifles game

Two Attack Methods for HTML5 Android Malware

Based on our analysis, there are two major kinds of attack method the HTML5-packaging malwares may take:

Method #1: Initiating local webview

This is a popular attack method that may be carried out without modifying a single line of code from the original HTML5 app. Hackers only need to initiate a local webview to load the attached or remote HTML5/JavaScript/CSS codes. By doing this the main functionalities will work and a new Android format app can be released.

However, most hackers will not stop at this step since it is meaningless to only convert a web app to an Android app. Hackers often inject malicious Java code into the app before releasing it.

Figure 4. Malicious Java code injection in the HTML5-packaged apps

By packaging apps this way, the malicious code and normal code can be separated in the source; hackers can only focus on the injected part and takes little effort to original HTML5 parts, which makes the code logic clear and simple.

Method #2: Packaging HTML5 apps to middleware injected with malicious JavaScript code

As Android becomes more and more popular, a lot of middleware are coming out to convenient developers to develop apps cross-platforms. Middleware is a third-party software/framework that works between apps and the operating system (OS) .

For HTML5 and related web apps, there now several open frameworks to support cross-platform developing, such as: Phonegap, Apache Cordova, Crosswalk, Cocoonjs, and more. These middleware often support HTML5. An example is middleware Apache Cordova is famous and mostly frequently used in Android.

Apart from running HTML5/JavaScript/CSS codes in webview, apps integrated with these middleware are running in the core of those framework libraries, usually something like deeply customized browsers. With the powerful APIs provided by these middleware, developers can interact with Android only by JavaScripts.

Figure 5. Malicious JavaScript code injection to send SMS by Cordova execution


HTML5 makes it easier to develop more powerful web apps and will definitely benefit Android in a certain sense since web apps are platform-independent. To developers, the cost of cross-platform developing is low and  the “write once, run anywhere” (WORA) program capability is available. There will be never platform-developing latency. To users, they may share favorite apps among different mobile platforms any time, which means that adapting HTML5 for web app development is always a win-win situation.

While cross-platform benefits may also mean cross-platform infections, the difficulty of JavaScript code protection often makes web apps easy to be copied and repackaged. Theoretically, by the way of code injection and repackaging, hackers can pirate any web apps they want to support any platforms.

In the foreseeable future we may be seeing a type of malware that can hit different mobile platforms (such as: iOS, Android, Windows Phone) all at the same time. To prevent from this, developers need to spend more efforts on code obfuscation or other coding tricks to secure their apps. Home users also need to take care of new app installations by only downloading from official app stores.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Repackaging HTML5 Apps into Android Malware

Read more: Repackaging HTML5 Apps into Android Malware

Story added 29. December 2014, content source with full text you can find at link above.