Repackaging HTML5 Apps into Android Malware
Predictably, with the finalization of HTML5 standard by World Wide Web Consortium (W3C) last October, there will be a rapid growth of new HTML5 web apps coming out in the near future. Considering the platform independent characteristic in web apps, we foresee that HTML5 will accelerate the repackaging from web apps to mobile apps for malicious intent.
A Quick Overview of HTML5 Android Apps
According to our monitoring, the amount of new HTML5-packaged apps coming to the Android platform increased by 200% in 2014 from its numbers in 2013. The numbers have noticeably gone up to 600% from its original count in 2012.
Figure 1. Distribution of new HTML5-packaged apps in Android from 2012 to 2014
We noticed that the amount of HTML5 packaged malware or potentially unwanted apps (PUAs) were also on the rise. Almost 50% of these mobile malware/PUAs were disguised as games.
Figure 2. Distribution of new HTML5-packaged malware/PUAs seen in Android from 2012 to 2014
One example of mobile malware/PUA is the app pretends to be a legitimate game called Tiny Rifles (package: com.html5.game2), an HTML5 game. Accessing the fake game on a browser loads the HTML5 game webview but also injects aggressive Adware SDK into the code. The malicious app has since been removed from Google Play. We detect this as a potentially unwanted app (PUA).
Figure 3. Fake Tiny Rifles game
Two Attack Methods for HTML5 Android Malware
Based on our analysis, there are two major kinds of attack method the HTML5-packaging malwares may take:
Method #1: Initiating local webview
However, most hackers will not stop at this step since it is meaningless to only convert a web app to an Android app. Hackers often inject malicious Java code into the app before releasing it.
Figure 4. Malicious Java code injection in the HTML5-packaged apps
By packaging apps this way, the malicious code and normal code can be separated in the source; hackers can only focus on the injected part and takes little effort to original HTML5 parts, which makes the code logic clear and simple.
As Android becomes more and more popular, a lot of middleware are coming out to convenient developers to develop apps cross-platforms. Middleware is a third-party software/framework that works between apps and the operating system (OS) .
For HTML5 and related web apps, there now several open frameworks to support cross-platform developing, such as: Phonegap, Apache Cordova, Crosswalk, Cocoonjs, and more. These middleware often support HTML5. An example is middleware Apache Cordova is famous and mostly frequently used in Android.
HTML5 makes it easier to develop more powerful web apps and will definitely benefit Android in a certain sense since web apps are platform-independent. To developers, the cost of cross-platform developing is low and the “write once, run anywhere” (WORA) program capability is available. There will be never platform-developing latency. To users, they may share favorite apps among different mobile platforms any time, which means that adapting HTML5 for web app development is always a win-win situation.
In the foreseeable future we may be seeing a type of malware that can hit different mobile platforms (such as: iOS, Android, Windows Phone) all at the same time. To prevent from this, developers need to spend more efforts on code obfuscation or other coding tricks to secure their apps. Home users also need to take care of new app installations by only downloading from official app stores.