BadNews for Google Play users
Downloading apps from Google Play may get you some unexpected extra software. Mobile security specialist Lookout has uncovered a piece of code called BadNews which poses as an advertising network in order to push malware out to infected devices. By using the ad network as a front it bypasses the checks that prevent malware from getting on to the store.
The BadNews code was found in 32 apps across four different developer accounts. Google has now removed the apps and suspended the accounts but it’s estimated that these apps have already been downloaded several million times. About half of the identified apps are in Russian and the payload is designed to commit premium rate fraud in Russia and neighbouring countries.
Once installed on a device BadNews can send fake news messages and prompt the user to install more apps. It also sends information including the device ID and phone number back to its command and control server.
The links pushed by BadNews include fake updates for a popular Russian social network and for Skype. In each case the links lead to the well-known AlphaSMS malware which results in fraudulent premium rate charges.
This is an interesting development in mobile malware, because by delaying its actions via a server the app is able to slip past vetting procedures. This also allows the developers time to notch up some positive feedback for the app on the store before it triggers its infection, giving it chance to spread to more devices.
To stay safe Android users should make sure their "Unknown sources" system setting is turned off in order to prevent drive-by installs and make sure they keep their security software up to date.