Skip to main content

'BadNews' malware sneaks into Google Play apps

If you're big into random Russian apps on Google Play, watch out – you might very well have been one of the many victims of a new threat dubbed "BadNews."

The appropriately named malware was first discovered by the mobile security company Lookout. According to a blog post by principal security researcher Marc Rogers, the malware was disguised within 32 different apps published by four different developers in Google Play. Around half of these apps were predominantly Russian, but the others – found within apps and games carrying such innocent names as "Little Fox," "Star Knife," and "Stupid Birds," among others – appeared more easily downloadable by the casual Google Play browser.

And did they. Android users grabbed anywhere from two to nine million total downloads of the affected apps, Rogers said. However, there's a silver lining: Lookout's already informed Google about the malware and Google, in turn, has deleted the apps from Google Play and removed the offending accounts from the market.

BadNews isn't unique because of its infection rate; Rather, because of the relatively creative tactics the malware employed in order to mess with users' devices – and sustain itself on Google Play.

"Because it's challenging to get malicious bad code into Google play, the authors of BadNews created a malicious advertising network, as a front, that would push malware out to infected devices at a later date in order to pass the app scrutiny," Rogers wrote.

"BadNews has the ability to send fake news messages, prompt users to install applications and sends sensitive information such as the phone number and device ID to its Command and Control (C&C) server. BadNews uses its ability to display fake news messages in order to push out other types of monetization malware and promote affiliated apps," he added.

Specifically, BadNews lurks around on a user's device and polls its C&C server every four hours until the server responds with the malware's orders. The aforementioned "fake news messages" can be made to appear as if they're actually asking users to update an installed app – a fairly innocent request that a user might allow, which instead dumps an SMS app on a user's phone and starts stringing up charges.

Worse for users, these critical updates are named in such a way as to appear as if they're a more innocent app like "skype_installer.apk" instead of a more obvious "AlphaSMS" – the "toll fraud" app most commonly installed as part of a BadNews infection. BadNews can also prompt users to install other infected apps found within Google Play, presumably to ensure that the malware has multiple pathways for continued infection should a user delete a previously installed (infected) app or two.

As for protecting against future infections, Rogers naturally recommends users install an app like Lookout Security & Antivirus, which could allegedly protect against BadNews from the moment it hit. Additionally, Rogers suggests, concerned users should make sure that Android isn't allowed to download apps from "Unknown Sources" via the related setting.

"It is not clear whether some or all of these apps were launched with the explicit intent of hosting BadNews or whether legitimate developers were duped into installing a malicious advertising network. However, based on our analysis of the backend code behind a number of these purported ad networks there is little doubt that BadNews is a fraudulent monetization SDK," Rogers wrote.

According to a recent report by NQ Mobile, nearly 33 million Android devices were affected by some kind of malware in 2012 – up more than 200 percent from the number of infected Android devices reported in 2011.