Android users, look out because there is another malware in the wild. A mobile security research firm has found 32 apps infected with a new malware called BadNews that pretends to be a third-party advertising network and pushes out a well-known SMS fraud app to infected devices.
Lookout Mobile Security discovered the malware in 32 apps across four developer accounts on the Google Play store – with half of the apps are in Russian. BadNews has the ability to “send fake news messages, prompt users to install applications and sends sensitive information such as the phone number and device ID” back to its author, according to Lookout.
“BadNews is spun to look like an ordinary advertising network SDK and is hosted in a number of innocuous applications that range from Russian dictionary apps to popular games,” Lookout said in a security warning blog post.
“It is not clear whether some or all of these apps were launched with the explicit intent of hosting BadNews or whether legitimate developers were duped into installing a malicious advertising network. However, based on our analysis of the backend code behind a number of these purported ad networks there is little doubt that BadNews is a fraudulent monetization SDK.”
How does it work? Once activated, it communicates to its command-and-control server in order to get the instructions from its author. One such method is to display fake news to users, such as prompting users to download a “Critical Update” to a social networking app. Once clicking on that URL, users then download the SMS fraud app AlphaSMS instead of the “app update”.
However, the most interesting thing about BadNews is how it managed to avoid the app vetting process to make sure no malicious software is put on Google Play. BadNews can delay its behaviour – i.e. pushing AlphaSMS – tricking those who review apps into thinking it was safe.
Google has immediately removed these apps from Google Play.