Android malware disguised as mobile ad network infects up to 9M devices


A new malware family dubbed BadNews has been identified in 32 Android applications with combined download totals between 2 million and 9 million, Lookout Mobile Security reports. Google (NASDAQ:GOOG) has already removed all the apps in question and suspended the associated Google Play developer accounts, Lookout adds.

BadNews masquerades as a mobile advertising network, sending consumers fake news messages prompting them to install apps and then sending sensitive information like phone number and device ID to its Command and Control server. "BadNews uses its ability to display fake news messages in order to push out other types of monetization malware and promote affiliated apps," Lookout explains. "During our investigation we caught BadNews pushing AlphaSMS, well known premium rate SMS fraud malware, to infected devices."

Lookout states it has seen few other malicious distribution services posing as ad networks. "Because it's challenging to get malicious bad code into Google Play, the authors of BadNews created a malicious advertising network, as a front, that would push malware out to infected devices at a later date in order to pass the app scrutiny," the firm states. "BadNews is a significant development in the evolution of mobile malware because it has achieved very wide distribution by using a server to delay its behavior. If an app has not yet engaged in malicious behavior, a typical app vetting process would of course conclude that it was safe because the malicious behavior has not yet occurred."

Lookout urges developers to pay close attention to all third-party libraries they integrate into their apps, and warns enterprise security managers that even cutting-edge app vetting processes cannot detect malicious behavior that hasn't yet occurred, necessitating ongoing security monitoring.

Malware attacks on Android devices more than doubled in 2012, security solutions firm NQ Mobile reported last week. NQ Mobile discovered 65,227 new pieces of mobile malware in 2012 compared to 24,794 in 2011, a year-over-year increase of 163 percent: Among all new malware discovered last year, 94.8 percent of threats were designed to attack Android, compared to just 4 percent targeting rival open-source platform Symbian. In all, more than 32.8 million Android devices were infected in 2012, up from 10.8 million in 2011, representing an increase of more than 200 percent.

Critics maintain Google has failed to sufficiently police the Play digital storefront, making it easy for attackers to distribute malware via Android applications. Google has made strides to reduce Android threats, however: In early 2012, it unveiled Bouncer, which scans Google Play for malicious apps, and its Android 4.2 OS update, a.k.a. Jelly Bean, bakes in application verification tools.

For more:
- read this Lookout Blog post

Related articles:
ACLU lobbies FTC to probe carriers over Android security
Report: Android malware doubled in 2012, infecting 3 million devices
Apple exec Schiller takes shot at Android over malware headaches
F-Secure: Android to blame for 79 percent of all mobile malware in 2012
Android malware surges to new highs in Q3
Google denies Android malware charges, researchers backtrack
Report: Android malware increased 155 percent year-over-year