Mobule security firm Lookout has discovered BadNews, a new malware family, in 32 apps across four different developer accounts in Google Play. According to Google Play statistics, the combined affected applications have been downloaded between 2,000,000 – 9,000,000 times. During its investigation Lookout caught BadNews pushing AlphaSMS, well known premium rate SMS fraud malware, to infected devices.
About 50% of the identified applications are in Russian and AlphaSMS is designed to commit premium rate SMS fraud in the Russian Federation and neighboring countries such as the Ukraine, Belarus, Armenia and Kazakhstan. It’s worth noting that the people controlling
this malware are also using it promote their less popular apps, which also contain BadNews. “We notified Google and they promptly removed all apps and suspended the associated developer accounts pending further investigation. All Lookout users are protected against this threat”, it said. BadNews masquerades as an innocent, if somewhat aggressive advertising network. This is one of the first times that we’ve seen a malicious distribution network clearly posing as an ad network. Because it’s challenging to get malicious bad code into Google play, the authors of Badnews created a malicious advertising network, as a front, that would push malware out to infected devices at a later date in order to pass the app scrutiny. Badnews has the ability to send fake news messages, prompt users to install applications and sends sensitive information such as the phone number and device ID to its Command and Control (C&C) server. BadNews uses its ability to display fake news messages in order to push out other types of monetization malware and promote affiliated apps. BadNews is a significant development in the evolution of mobile malware because it has achieved very wide distribution by using a server to delay its behavior. If an app has not yet engaged in malicious behavior, a typical app vetting process would of course conclude that it was safe because the malicious behavior has not yet occurred. We have two big takeaways from the appearance of BadNews:
BadNews is spun to look like an ordinary advertising network SDK and is hosted in a number of innocuous applications that range from Russian dictionary apps to popular games. It distributes the exact same malware that we have observed across a number of shady affiliate-based marketing websites. In addition, we found BadNews promoting other less popular affiliated apps, including a Russian diet app which also contained the BadNews.
It is not clear whether some or all of these apps were launched with the explicit intent of hosting BadNews or whether legitimate developers were duped into installing a malicious advertising network. However, based on our analysis of the backend code behind a number of these purported ad networks there is little doubt that BadNews is a fraudulent monetization SDK.
Once activated, BadNews polls its C&C server every four hours for new instructions while pushing several pieces of sensitive information including the device’s phone number and its serial number (IMEI) up to the server.
The C&C server replies with instructions telling BadNews what to do next. Available instructions include displaying (fake) news to users, and prompting for installation of a downloaded app payload.
The Russian text roughly translates to “Critical Update to Vkontakte,” implying an available update to a popular Russian Social Networking app. We have also observed available “update” prompts for Skype.
In each case, the URL points to a download for the prolific AlphaSMS toll fraud app, which purports to install freely available software, but actually results in fraudulent charges via Premium SMS.
We have enumerated the majority of available download URLs and determined that most endpoints lead to the download of AlphaSMS. Others lead to cross-promotion of other infected apps on Google Play.
The APKs themselves have names such as skype_installer.apk, mail.apk, and vkontakte_installer.apk in an attempt to trick the user into accepting the permissions requested during APK installation and also line up with the text in the news article about this being part of a critical update.