A malware named BadNews has been discovered hidden inside as many as 32 Android apps, which could have been downloaded by around nine million users. Security firm Lookout Mobile was the first to spot the malware and announce in a blog post on Friday. The affected apps, some being Russian, and its developers, were soon removed by Google.
All of the innocent looking gaming, dictionary and wallpaper apps like Stupid Birds, Little Fox and Star Knife had been found to carry malicious code which had been previously approved by Google. Those apps reported back to a server every four hours and revealed sensitive user information like phone numbers and device serial numbers (IMEI). The Command and Control (C&C) server, which was operational as of Friday, also forced some phones to display notifications to install apps with download file names like skype_installer.apk, which in fact was ‘AlphaSMS’, a Trojan that sent messages to costly services thereby incurring charges for the users unknowingly.
The people behind BadNews were also cunning enough to include prompts for users suggesting them to install the other affected apps in Google Play, thereby ensuring many paths for the malware to continue the infection in case the user deleted a previously infected app. Principal security researcher for Lookout, Marc Rogers, stated that it is unclear whether only a few or all of these apps were introduced with the intent of including BadNews or whether harmless developers had been hoaxed into installing the poisonous advertising network. Analysis of the backend code behind the ad networks by Lookout revealed that BadNews is a harmfully deceitful monetization SDK.
Malicious programs have been threatening Google Play ever since its debut as Android Market in 2008. A recent report by NQ Mobile showed that almost 33 million Android devices had been affected by malware last year, a 200 percent increase from the number of Android smartphones and tablets reported to be infected in 2011. Android has been consistently featuring as one of the more vulnerable platforms among the top operating systems. As Rogers stated, this incident is a wakeup call for everyone in the industry to realize that the bad guys are equally smart and that they find loopholes in the security models placed and make use of them.