Lookout Security said on Friday that it has discovered a new family of malware called BadNews. The company uncovered the malware in 32 applications listed by four different developer accounts on Google Play.
In a security blog by Lookout's Marc Rodgers, the firm said that BadNews masquerades as an innocent-yet-aggressive advertising network within actual Android apps that advertises malware as updates or other free software at a later date. This allows the apps themselves to pass through Google's app "scrutiny".
"According to Google Play statistics, the combined affected applications have been downloaded between 2,000,000 – 9,000,000 times," the company said. "We notified Google and they promptly removed all apps and suspended the associated developer accounts pending further investigation."
BadNews works by sending fake news messages to the user, prompting them to install disguised malware like AlphaSMS, a well-known premium rate SMS fraud malware. BadNews also sends sensitive information such as the phone number and device ID to its Command and Control (C&C) server.
"BadNews is a significant development in the evolution of mobile malware because it has achieved very wide distribution by using a server to delay its behavior," Rodgers said in Friday's update. "If an app has not yet engaged in malicious behavior, a typical app vetting process would of course conclude that it was safe because the malicious behavior has not yet occurred."
Once the "infected" app is installed on the user's device, BadNews polls its C&C server every four hours for new instructions while relaying several pieces of sensitive information. The server replies with instructions, telling BadNews to post fake news which prompts the user to select a link to a download. Infected users think they are downloading updates or free software, but in reality most of the URLs point to a download for the AlphaSMS toll fraud app. This app pretends to install the supposed freely available software, but actually results in fraudulent charges via Premium SMS instead.
"We have enumerated the majority of available download URLs and determined that most endpoints lead to the download of AlphaSMS," he said. "Others lead to cross-promotion of other infected apps on Google Play. The APKs themselves have names such as skype_installer.apk, mail.apk, and vkontakte_installer.apk in an attempt to trick the user into accepting the permissions requested during APK installation and also line up with the text in the news article about this being part of a critical update."
He added that developers need to pay very close attention to any third-party libraries they include in their applications, as unsafe libraries can put their users and reputation at risk. So far it's unclear whether some or all of the apps were launched with the intent of hosting BadNews, or if many developers were simply duped into installing the malicious network.
"Based on our analysis of the backend code behind a number of these purported ad networks there is little doubt that BadNews is a fraudulent monetization SDK," he said.