According to Lookout Mobile Security, the ‘BadNews’ library has been folded into as many as 32 Android apps from four different developer accounts and all these apps are available in Google Play without triggering any sort of malicious app defenses from Google. Security researchers over at Lookout said that once the smartphone is infected with the malware, the handset connects to a malicious server every four hours and sends out sensitive information about the user.
Some of the details sent out include the smartphone’s phone number and International Mobile Station Equipment Identity (IMEI) number. There were instances where researchers found that the C&C server was forcing prompting users to install AlphaSMS, a trojan known to send out text messages to premium numbers.
Google has countermeasures against malicious apps – bouncer, which goes about scouring Google Play for bad apps. To get around the defenses the people behind ‘BadNews’ were able to sneak the library into Google Play by adding it to the apps that were already submitted and accepted. According to stats on Google Play the apps have been downloaded from as many as 2 million to 9 million times.
“Because it’s challenging to get malicious bad code into Google play, the authors of Badnews created a malicious advertising network, as a front, that would push malware out to infected devices at a later date in order to pass the app scrutiny”, noted Marc Rogers in a blog post.