Mobile security firm Lookout uncovered new Android malware, posing as an “innocent, if somewhat agressive” ad network.
The malware family, called BadNews, has been discovered in 32 apps across four different Google developer accounts. According to Google Play statistics, the combined affected applications have been downloaded between 2 million and 9 million times.
“This is one of the first times that we’ve seen a malicious distribution network clearly posing as an ad network,” says Marc Rogers in a Lookout blog.
“Because it’s challenging to get malicious bad code into Google Play, the authors of BadNews created a malicious advertising network, as a front, that would push malware out to infected devices at a later date in order to pass the app scrutiny,” he continued.
On discovering the new malware, Lookout notified Google. Each of the identified apps has now been removed while the associated developer accounts have been suspended pending further investigation.
Lookout said that it is not clear if some or all of the affected apps were launched with the intention of hosting BadNews, or if legitimate developers were “duped into installing a malicious advertising network”. But it continued: “there is little doubt that BadNews is a fraudulent monetisation SDK.”
Around half of the identified applications are in Russian. BadNews has also been pushing AlphaSMS, a well-known premium-rate SMS fraud malware, to infected devices.
“BadNews has the ability to send fake news messages, prompt users to install applications and send sensitive information, such as the phone number and device ID, to its command and control server,” said Rogers.
“BadNews uses its ability to display fake news messages in order to push out other types of monetisation malware and promote affiliated apps,” he said.