This week, Lookout has announced that a new malware family has been discovered on Android, called BadNews and present inside 32 applications available from four different developers through the Google Play Store.
The company reports that the applications have been downloaded between 2,000,000 – 9,000,000 times, but that Google has already removed all of them from the store, and that the developer accounts associated with them have been suspended.
The security company also explains that BadNews appeared to be an innocent, albeit a bit aggressive advertising network, and that this was the first time that malware was distributed disguised as an ad network.
“Because it’s challenging to get malicious bad code into Google play, the authors of Badnews created a malicious advertising network, as a front, that would push malware out to infected devices at a later date in order to pass the app scrutiny,” the company states in a blog post.
The malware, however, has the ability to send fake news messages, and even prompted users to install various applications. Furthermore, it would send out details on the user, including phone number and device ID.
“BadNews uses its ability to display fake news messages in order to push out other types of monetization malware and promote affiliated apps,” Lookout explains.
The company also notes that BadNews was also found to be pushing AlphaSMS, a known premium rate SMS fraud malware, to the infected devices.
“BadNews is a significant development in the evolution of mobile malware because it has achieved very wide distribution by using a server to delay its behavior,” the company also notes.
“If an app has not yet engaged in malicious behavior, a typical app vetting process would of course conclude that it was safe because the malicious behavior has not yet occurred.”
Lookout states that developers should pay a close attention to the third-party libraries that they include in their apps, and that enterprises should be constantly keeping an eye on applications, as even well-designed app-vetting processes won’t be able to detect malicious behavior that hasn’t happened yet.