BadNews infections in Google Play spread premium-rate SMS trojan

Share this article:

Researchers have discovered a new family of malware that found its way into legitimate apps inside Google's official store thanks to a malicious advertising network.

Dubbed “BadNews” by Lookout, a San Francisco-based mobile security firm, the malware was detected in 32 apps across four different developer accounts in Google Play, a Friday blog post from Lookout said.

The company estimates that the apps had been downloaded somewhere between two million and nine million times. But apparently far fewer actually were hit with malicious code.

BadNews “ads” were hosted in a range of apps, from popular games to Russian dictionary apps (about 50 percent of the malicious apps are in Russian). The fake ads prompted users to download updates to other apps or social networking services, like Skype. But doing so took them to a site where additional malware, called AlphaSMS, is downloaded. AlphaSMS is designed to look like an app downloader, but when installed actually, it forces infected devices to send out premium-rate texts.

Google has since investigated and immediately removed all of the affected apps, while also suspending developer accounts associated with the ad network, according to Lookout.

On its own, BadNews malware is capable of sending victims' sensitive information – such as their phone numbers and their devices' unique International Mobile Equipment Identity (IMEI) numbers – to a command-and-control server.

“Because it's challenging to get malicious bad code into Google Play, the authors of BadNews created a malicious advertising network as a front that would push malware out to infected devices at a later date in order to pass the app scrutiny,” Marc Rogers, a principal security researcher at Lookout, wrote in the blog post.

He added that “a typical app-vetting process would, of course, conclude that it was safe because the malicious behavior has not yet occurred.”

Rogers explained that the malware outbreak served as a lesson that developers should closely monitor third-party libraries included in their apps, which could put users at risk.

Lookout is working to take down three BadNews command-and-control servers, believed to be based in Russia, Germany and the Ukraine.

Share this article:

Sign up to our newsletters

More in News

Brazilian president signs internet 'Bill of Rights' into law

Brazilian president signs internet 'Bill of Rights' into ...

President Dilma Rousseff signed the legislation on Wednesday at the NetMundial conference in Sao Paulo.

Android trojan sends premium SMS messages, targets U.S. users for first time

Android trojan sends premium SMS messages, targets U.S. ...

An SMS trojan for Android, known as FakeInst, has been observed sending premium SMS messages to users all over the world, including, for the first time, the United States.

Report: DDoS up in Q4 2013, vulnerability scanners leveraged to exploit sites

Report: DDoS up in Q4 2013, vulnerability scanners ...

Researchers observed 346 DDoS attacks in the final quarter of 2013 and attackers used Vega and Skipfish vulnerability scanners to exploit web flaws at financial companies.