Sign in with
Sign up | Sign in

BadNews: Lookout Discovers New Malware Family

By - Source: Lookout Security | B 9 comments

Lookout Security said on Friday that it has discovered a new family of malware called BadNews. The company uncovered the malware in 32 applications listed by four different developer accounts on Google Play.

In a security blog by Lookout's Marc Rodgers, the firm said that BadNews masquerades as an innocent-yet-aggressive advertising network within actual Android apps that advertises malware as updates or other free software at a later date. This allows the apps themselves to pass through Google's app "scrutiny".

"According to Google Play statistics, the combined affected applications have been downloaded between 2,000,000 – 9,000,000 times," the company said. "We notified Google and they promptly removed all apps and suspended the associated developer accounts pending further investigation."

BadNews works by sending fake news messages to the user, prompting them to install disguised malware like AlphaSMS, a well-known premium rate SMS fraud malware. BadNews also sends sensitive information such as the phone number and device ID to its Command and Control (C&C) server.

"BadNews is a significant development in the evolution of mobile malware because it has achieved very wide distribution by using a server to delay its behavior," Rodgers said in Friday's update. "If an app has not yet engaged in malicious behavior, a typical app vetting process would of course conclude that it was safe because the malicious behavior has not yet occurred."

Once the "infected" app is installed on the user's device, BadNews polls its C&C server every four hours for new instructions while relaying several pieces of sensitive information. The server replies with instructions, telling BadNews to post fake news which prompts the user to select a link to a download. Infected users think they are downloading updates or free software, but in reality most of the URLs point to a download for the AlphaSMS toll fraud app. This app pretends to install the supposed freely available software, but actually results in fraudulent charges via Premium SMS instead.

"We have enumerated the majority of available download URLs and determined that most endpoints lead to the download of AlphaSMS," he said. "Others lead to cross-promotion of other infected apps on Google Play. The APKs themselves have names such as skype_installer.apk, mail.apk, and vkontakte_installer.apk in an attempt to trick the user into accepting the permissions requested during APK installation and also line up with the text in the news article about this being part of a critical update."

He added that developers need to pay very close attention to any third-party libraries they include in their applications, as unsafe libraries can put their users and reputation at risk. So far it's unclear whether some or all of the apps were launched with the intent of hosting BadNews, or if many developers were simply duped into installing the malicious network.

"Based on our analysis of the backend code behind a number of these purported ad networks there is little doubt that BadNews is a fraudulent monetization SDK," he said.

Ask a Category Expert

Create a new thread in the Streaming Video & TVs forum about this subject

Example: Notebook, Android, SSD hard drive

This thread is closed for comments
  • -1 Hide
    otacon72 , April 20, 2013 6:45 PM
    Google Play has malware? No....say it aint so. Nothing new here...
  • -1 Hide
    andrerichards , April 20, 2013 8:17 PM
    Good god, when did Android become such a sh*tshow? I was an early adopter of Android who jumped to iOS and haven't really paid much attention to the platform. Seems every day brings some new security issue or virus outbreak. People used to say that Android would be to mobile what Windows was to the desktop and, sadly, that's starting to become reality.
  • Display all 9 comments.
  • 0 Hide
    STravis , April 20, 2013 8:49 PM
    downloaded between 2M and 9M times? So what we're saying is that we don't know how many times it's been downloaded (because the range 2 to 9 M is so large it's useless to even bother giving it out)
  • 2 Hide
    miki_x1 , April 20, 2013 9:05 PM
    rather use android, and decide myself which application to install then have Apple decide what applications are allowed in istore
  • 0 Hide
    miki_x1 , April 20, 2013 9:10 PM
    rather use android, and decide myself which application to install then have Apple decide what applications are allowed in istore
  • -1 Hide
    sykozis , April 21, 2013 8:42 PM
    Things like this make me happy I have a blackberry....
  • -2 Hide
    rebel1280 , April 22, 2013 7:04 AM
    As if the fragmentation wasn't bad enough, the effects of it are down right terminal. Hard to patch any software out there when its so non-uniform. :( 
  • 0 Hide
    abbadon_34 , April 24, 2013 2:11 AM
    Oooo, you mean I need an anvirus program? You telling me the internet is risky? Internet phones have internet problems? Say it ain't so!!!
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter
  • add to twitter
  • add to facebook
  • ajouter un flux RSS