Security Experts:

New Android Trojan Fools Traditional Application Vetting Processes

Lookout, a mobile security firm in San Francisco, has discovered a new family of malware targeting Android, and based on Google Play stats – it’s been downloaded at least two million times, but that number could be as high as nine million.

Lookout calls the malware "BadNews", and we’ll leave the opening for a spectacular news related pun out of the picture for the moment. While researching the latest Android threat, Lookout discovered that it was able to harvest information about the device and ship it off to a remote server, as well as send fake news messages and prompt users to install additional applications, which are also malicious.

When installing additional software, BadNews delivers AlphaSMS, which is a well-known SMS fraud app that leads to massive charges by sending messages to premium rate numbers in the Russian Federation and neighboring countries such as the Ukraine, Belarus, Armenia and Kazakhstan.

“BadNews masquerades as an innocent, if somewhat aggressive advertising network. This is one of the first times that we’ve seen a malicious distribution network clearly posing as an ad network. Because it’s challenging to get malicious bad code into Google play, the authors of BadNews created a malicious advertising network, as a front, that would push malware out to infected devices at a later date in order to pass the app scrutiny,” Lookout explained on their blog.

“BadNews is a significant development in the evolution of mobile malware because it has achieved very wide distribution by using a server to delay its behavior. If an app has not yet engaged in malicious behavior, a typical app vetting process would of course conclude that it was safe because the malicious behavior has not yet occurred.”

Following the numbers, Lookout says that half of the 32 problematic apps are in Russian, demonstrating that the criminals behind the scheme are targeting a specific demographic. The content ranges from wallpaper applications, games, recipes, and even a sex application.

Given the nature of the fake advertising network present in all of the compromised apps, Lookout was unable to determine if they were created simply to host BadNews, or if the developers were fooled into using compromised code. Lookout has posted more technical details on their blog. In the meantime, they have some advice for enterprise managers:

“...Enterprise security managers must assume that even very well designed app-vetting processes will not be able to detect malicious behavior that hasn’t happened yet. Ongoing security monitoring is important to detect malicious behavior that happens some time after an app’s initial evaluation.”

view counter
Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.