BadNews Trojan Is Bad News for Android Users
CREDIT: Malicious software image via Shutterstock
Mobile security company Lookout has found a new form of malware in 32 Android apps published by four different developers. Combined, the infected apps have been downloaded between 2 million and 9 million times.
Disguised as an advertising network to support free-to-play apps, the new malware, which Lookout has named "BadNews," actually pushes a well-known fraud malware called AlphaSMS that is able to gather sensitive information from the infected mobile phone and bill the phone's user with fraudulent charges.
What makes BadNews especially harmful is that it's able to lie dormant in its carrier apps for several weeks after download, which helped the malware sneak past the GooglePlay store's security and made it difficult to detect.
Once activated, BadNews gathers sensitive information from the infected device and sends it to a command-and-control server. On command from the server, the malware can also display fake news to the device users, and prompt installation of a program that will fraudulently charge users' accounts.
To trick users into downloading this program, the files are often given misleading names, such as "skype_installer.apk" or "vkontakte_intaller.apk." Vkontakte is a popular Russian social networking app. Users download the fraudulent APKs believing they are actually updates for these popular apps.
Adding salt to the wound, the BadNews malware uses its advertising façade to promote other infected apps.
Many of the carrier apps are games or other innocuous-seeming apps like wallpapers or recipe books. More than two-thirds of the apps are in Russian; the rest are English.
[See also: 10 Tips to Keep Your Android Phone Safe]
BadNews is operated through three command-and-control servers that Lookout has placed in Russia, Ukraine and Germany. They are currently still active, but Lookout reports it is working to "bring them down."
Lookout Mobile Security first found the BadNews malware and notified the GooglePlay store on April 19. Google promptly removed the apps from the store and suspended the associated developer accounts.
This doesn't necessarily mean the app developers are complicit; Lookout points out that developers need to carefully screen any third-party libraries they use to build their apps, as these can be unsafe or outright malicious.
If you're worried about your Android device, you can go to Android settings and uncheck "unknown sources" (depending on your device, it may be under Security or Applications) to prevent automatic and drive-by installation of unregistered software. You can also use security software like Lookout's own to guard your phone from malware.
In their company blog, Lookout called BadNews "a significant development in the evolution of mobile malware" because of its ability to escape detection by delaying activation.
For the full report on Lookout's findings, check their company blog.