Lookout Security uncovered the newcomer and notified Google, which promptly removed all apps and suspended the associated developer accounts pending further investigation, the company said in a blog. The command-and-control (C&C) servers, meanwhile, are located in Russia, Ukraine and Germany, and are currently live, but Lookout is working to bring them down, it said.
Even so, BadNews has managed to be very bad news indeed: according to Google Play statistics, the combined affected applications have been downloaded between 2 million and 9 million times.
That distribution success means BadNews is a significant development in the evolution of mobile malware, Lookout said. To achieve the widespread propagation, it uses a server to delay the execution of its malicious behavior. “If an app has not yet engaged in malicious behavior, a typical app vetting process would of course conclude that it was safe because the malicious behavior has not yet occurred,” explained Lookout.
And so, enterprise security managers “must assume that even very well-designed app-vetting processes will not be able to detect malicious behavior that hasn’t happened yet,” Lookout noted. “Ongoing security monitoring is important to detect malicious behavior that happens sometime after an app’s initial evaluation.”
BadNews is fundamentally a fraud vector. During the Lookout investigation, it caught BadNews pushing AlphaSMS, a well-known premium rate SMS fraud malware, to infected devices. It essentially has the ability to send fake news messages, prompt users to install applications and sends sensitive information such as the phone number and device ID to its C&C server. Then it uses its ability to display fake news messages in order to push out other types of monetization malware and promote affiliated apps.
It appears to be aimed at Eastern Europe. Much of the code in BadNews has previously appeared in other families associated with Eastern European toll fraud. About 50% of the identified applications are in Russian, while AlphaSMS is designed to commit premium rate SMS fraud in the Russian Federation and neighboring countries such as Ukraine, Belarus, Armenia and Kazakhstan.
“BadNews is spun to look like an ordinary advertising network SDK and is hosted in a number of innocuous applications that range from Russian dictionary apps to popular games,” Lookout said. “It distributes the exact same malware that we have observed across a number of shady affiliate-based marketing websites. In addition, we found BadNews promoting other less popular affiliated apps, including a Russian diet app which also contained the BadNews.”
To stay safe, apps developers need to pay very close attention to any third-party libraries they include in their applications, the firm advised, since unsafe libraries can put their users and reputation at risk.