Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Malware & Threats

New Android Trojan Fools Traditional Application Vetting Processes

Lookout, a mobile security firm in San Francisco, has discovered a new family of malware targeting Android, and based on Google Play stats – it’s been downloaded at least two million times, but that number could be as high as nine million.

Lookout, a mobile security firm in San Francisco, has discovered a new family of malware targeting Android, and based on Google Play stats – it’s been downloaded at least two million times, but that number could be as high as nine million.

Lookout calls the malware “BadNews”, and we’ll leave the opening for a spectacular news related pun out of the picture for the moment. While researching the latest Android threat, Lookout discovered that it was able to harvest information about the device and ship it off to a remote server, as well as send fake news messages and prompt users to install additional applications, which are also malicious.

When installing additional software, BadNews delivers AlphaSMS, which is a well-known SMS fraud app that leads to massive charges by sending messages to premium rate numbers in the Russian Federation and neighboring countries such as the Ukraine, Belarus, Armenia and Kazakhstan.

“BadNews masquerades as an innocent, if somewhat aggressive advertising network. This is one of the first times that we’ve seen a malicious distribution network clearly posing as an ad network. Because it’s challenging to get malicious bad code into Google play, the authors of BadNews created a malicious advertising network, as a front, that would push malware out to infected devices at a later date in order to pass the app scrutiny,” Lookout explained on their blog.

“BadNews is a significant development in the evolution of mobile malware because it has achieved very wide distribution by using a server to delay its behavior. If an app has not yet engaged in malicious behavior, a typical app vetting process would of course conclude that it was safe because the malicious behavior has not yet occurred.”

Following the numbers, Lookout says that half of the 32 problematic apps are in Russian, demonstrating that the criminals behind the scheme are targeting a specific demographic. The content ranges from wallpaper applications, games, recipes, and even a sex application.

Given the nature of the fake advertising network present in all of the compromised apps, Lookout was unable to determine if they were created simply to host BadNews, or if the developers were fooled into using compromised code. Lookout has posted more technical details on their blog. In the meantime, they have some advice for enterprise managers:

Advertisement. Scroll to continue reading.

“…Enterprise security managers must assume that even very well designed app-vetting processes will not be able to detect malicious behavior that hasn’t happened yet. Ongoing security monitoring is important to detect malicious behavior that happens some time after an app’s initial evaluation.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...