Mobile security company Lookout claims to have discovered BadNews, a new malware family that's affecting Android apps.
The company found the malware in 32 apps across four different developer accounts in the Google Play store. Talking about it in a
blogpost, Lookout mentioned that the affected apps have been downloaded between 2,000,000 - 9,000,000 times. Google has removed all the apps and suspended accounts of the specific developers, as per Lookout.
Half of the affected apps were found to be in Russian and AlphaSMS, an SMS fraud malware that was also being pushed by BadNews is found to be involved in committing premium rate SMS fraud in the Russian Federation and neighbouring countries such as the Ukraine, Belarus, Armenia and Kazakhstan. The apps that feature the malware range from Russian dictionary apps to popular games to even innocent ones like apps offering salad recipes.
BadNews works by disguising as an ad network and later pushes malware to the user's device after an affected app is installed. It sends fake news messages, prompts users to install apps and sends sensitive information such as the user's phone number and device ID to its Command and Control server.
Following initial activation, the BadNews contacts its server every four hours for new instructions while sending sensitive information such as the device's phone number and its serial number (IMEI) to the server. The server replies with instructions including displaying (fake) news to users, and asking them to install new app updates. The app updates are new malware apps disguised with names of popular apps like Skype.
The malware acts as a challenge to the people who filter apps for malware at the Play Store as it's not directly included in the app and comes into existence after the app connects to the malware server.
However, Lookout mentions that it is not clear whether some or all of these apps were launched with the intent of spreading the BadNews malware or developers were caught unaware as they included code to earn money thinking that BadNews was just an ad network for monetization, as it's disguised as a fraudulent monetization SDK.