Android malware developers have come up with an ad network SDK that smuggles malicious software through apparently innocent apps. 32 separate apps on Google Play tested positive for the bug, called BadNews. Google suspended the accounts associated with the apps that had the BadNews malware hidden on them.
The Android BadNews bug stole money from unsuspecting downloaders by racking up charges from sending "premium-rate" text messages. The BadNews-infected apps were recorded as sending AlphaSMS, premium-rate SMS fraud in the Russian Federation, to devices. The BadNews SDK was downloaded "between 2 and 9 million times" by victims, according to security firm Lookout, which uncovered the BadNews bug.
But how did the BadNews SDK get on the Google Play apps without anyone noticing? Legitimate ad network SDKs, like Google's AdMob SDK, offers app developers the opportunity to host in-app ads to monetize free apps. The BadNews malware masqueraded as in-app advertising to spread fake antivirus.
Apps with the Android malware BadNews include games, dictionaries, and wallpapers, as well as recipe and sex applications. The malicious ad network largely, but not exclusively, targeted Russian-speaking users.
The Android malware SDK causes the application to display fake news messages. For example, a user would receive an in-app "notification" that says they should install a "critical update" to Russian social network Vkontakte, Skype, and other programs. This fake Android update also directs the user to a website to install a premium-rate SMS app that gives the user's phone number and device ID to a command server.
"Because it's challenging to get malicious bad code into Google Play," said Lookout's principal security researcher Marc Rogers in an alert. "The authors of BadNews created a malicious advertising network, as a front, that would push malware out to infected devices at a later date in order to pass the app scrutiny."
According to Lookout, the servers have been noted in Russia, Ukraine, and one in Germany. However, the malware targeted Android owners in Belarus and many other Eastern European countries. Android users are encouraged to make sure the Android system setting 'unknown sources' is unchecked to prevent dropped or drive-by-download app installs (and to download a mobile security app, like Lookout's.)
"You can't even say Google was at fault in this because Google very clearly scrutinized all these apps when they went in," added Rogers, speaking to Ars Technica. "But these guys were cunning enough to sit there for a couple of months doing absolutely nothing and then they pushed out the malware.
"This is a wakeup call for us in the industry to say that bad guys... [will] take a look at the security models we put in place and they'll find weaknesses in them. That's exactly what they've done here."
Mobile security company NQ Mobile has recently published an annual report that estimated that Android Malware (such as BadNews) has more than doubled worldwide last year, with nearly 33 million devices infected (up from 11 million in 2012.)