Bad news for PC owners, it looks like mobile phones might be a viable way of infecting Windows machines with malware. Over at the McAfee blog, Fernando Ruiz has published the low down on how his team caught sight of a known Windows worm (Generic Malware.og!ats) inside the source code for an Android application.

The code, which is harmless to an Android phone but could infect a PC if you tried to run the APK on it, was buried inside an app called KFC WOW@25, an Augmented Reality app for enhancing menus at Indian branches of the fast food chain, created by Blink Solution. The app has been withdrawn from Google Play.

According to Ruiz:

“When a legitimate Android application contains a malicious file such as this one (for a Windows PC), it is likely this has occurred due to neglect on the part of the developer. This neglect can be as simple as not securing the development environment.”

Which isn’t much of an endorsement for Blink. Ruiz says it’s likely that one of the development machines had been infected with the malware and the user wasn’t aware of the fact. It’s not a massive risk to users – you’d have to be pretty odd to want to run the APK for an AR app on your non-moble desktop – but it does set a disturbing precedent.

Ruiz also adds that an Android email client found commonly installed on Android devices, including some variants of the Joy Tab Gem, is also a risk since it contains JavaScript code that calls a website that has been infected with malicious HTML.

(He declines to mention which app and we don’t have that tablet in the office to test it.)

(Hat tip: The Register, image from Digital Analog)