In much the same way a forgotten land mine can cause injury years after it was planted and forgotten, researchers are noticing the Ramnit worm popping up on mobile devices two years after its main users were taken down by law enforcement.
Once one of the more dangerous botnets being used, Ramnit's servers were siezed by Europol with an assist from Symantec in February 2015 effectively limiting the threat. However, that company is now noticing Ramnit appearing in apps on Google Play even though the malware does not run on Android. These first appeared in March 2017 when 100 Ramnit infected apps were found, followed more recently when an additional 92 distinct apps were available. These had garnered more than 250,000 downloads.
Symantec researchers believe the continued presence is due to some Ramnit operators still being on the loose combined with latent infections of the apps.
“What's most likely happening here is that there are a number of Android app developers who are developing and building on infected computers or unknowingly bundling infected files into app bundles that are then submitted to Google Play for inclusion in the store,” Symantec wrote in a blog.
Symantec is not certain why Google's malware detection is not catching these apps during the vetting process, but it does not believe these apps pose any particular danger to consumers as the steps required to stir the malware into action are not simple.
“In the vast majority of use cases, Android owners who use Windows with an infected device are safe. You have to connect your device to a Windows computer, navigate to and open the infected HTML file in a browser in order for the Windows infection to take place,” Symantec said.