BadNews malware may have hit up to 9 million Android devices

First, the good news: Google has recently yanked out apps containing the "BadNews" malware from Google Play and suspended the developer accounts involved.

 

Now, the bad news: the malware also named "BadNews" may have already affected as many as nine million Android devices by then, security vendor Lookout said.

 

"BadNews masquerades as an innocent, if somewhat aggressive advertising network. This is one of the first times that we’ve seen a malicious distribution network clearly posing as an ad network.  Because it’s challenging to get malicious bad code into Google play, the authors of Badnews created a malicious advertising network, as a front, that would push malware out to infected devices at a later date in order to pass the app scrutiny," it said in a blog post.

 

Once installed, the malware can send fake news messages, prompt users to install apps, and send sensitive information such as the phone number and device ID to its Command and Control (C&C) server.

 

It noted BadNews had been noted to push AlphaSMS, well-known premium rate SMS fraud malware, to infected devices.

 

Lookout said it discovered BadNews in 32 apps in four different developer accounts in Google Play.

 

Citing Google Play statistics, it said the combined affected applications have been downloaded "between 2,000,000 to 9,000,000 times."

 

"We notified Google and they promptly removed all apps and suspended the associated developer accounts pending further investigation. All Lookout users are protected against this threat," it said.

 

Malicious apps

 

Lookout said about half of the identified applications are in Russian and AlphaSMS is designed to commit premium rate SMS fraud in the Russian Federation and neighboring countries such as the Ukraine, Belarus, Armenia and Kazakhstan.

 

"It’s worth noting that the people controlling this malware are also using it promote their less popular apps, which also contain BadNews," it said.

 

Evolution

 

Lookout said BadNews is a "significant development in the evolution of mobile malware" because it got itself distributed by using a server to delay its behavior.

 

"If an app has not yet engaged in malicious behavior, a typical app vetting process would of course conclude that it was safe because the malicious behavior has not yet occurred," it said.

 

Once activated, BadNews polls its C&C server every four hours for instructions. It also sends sensitive information such as the device’s phone number and its serial number (IMEI).

 

The C&C server can instruct the app to display fake news to users, and prompt for installation of a downloaded app payload.

 

Tips to developers

 

Lookout said developers should pay close attention to any third-party libraries they include in their applications.

 

It added enterprise security managers must assume that even very well-designed app-vetting processes "will not be able to detect malicious behavior that hasn’t happened yet." — TJD, GMA News