In a clever twist to Android malware, cybercriminals posing as an ad network were able to fool Google Play and have their malware-distributing framework downloaded millions of times through dozens of apps.
Dubbed BadNews, the ad framework, which developers embed in apps to display advertising for money, appeared benign for weeks before sending fake update notifications, such as for Skype or a Russian social network, experts said. Clicking on a link in the message would either send the user to a malicious site or start the download process.
Because the framework did nothing for a long time, the cybercriminals were able to slip under the radar of the automated vetting software used in Google Play, said Marc Rogers, principal security analyst for mobile security specialist Lookout. In addition, the criminals' ruse also tricked developers into believing they were using a legitimate ad network.
"It's an evolution in malware in quite a cunning way," Rogers said on Monday.
The mobile security firm Lookout monitored the framework for three months before discovering that it eventually would download AlphaSMS, a well-known fraud app that sends text messages to a premium paid service that leads to charges being added to the phone user's wireless bill.
AlphaSMS is a popular malware used in Russia and neighboring countries, such as the Ukraine, Belarus, Armenia and Kazakhstan, where regulations are lax in the use of premium text services.
Along with downloading the SMS fraud app, BadNews also sent sensitive information, such as the phone number and device identification number, to a command and control server.
A total of 32 infected apps spread across four different developer accounts were downloaded between 2 million and 9 million times. Google removed the apps late last week, within hours after being notified by Lookout, Rogers said. All the apps were distributed in and around Russia.
The scheme pointed to a weakness in Google Play's monitoring of the activity of ad frameworks, which distribute ads from a remote server. The content is separate from what is in the app.
Whether a BadNews-like ad framework could also trick Apple is not clear. Unlike Google, Apple uses people to vet apps before placing them in the App Store.
However, experts saw no reason why a person would no if an ad framework was legitimate without monitoring it for a few months to watch for malicious activity.
"I would like for some third-party institution to give some kind of certification that says this is actually a good adware framework and this is not," said Liviu Arsene, a security researcher for Bitdefender.
Another option would be for app stores to only allow approved ad frameworks.
"If it's a new advertising network that you've never seen before, don't trust it," Rogers said. "Monitor it for a few months until it has earned some trust."
Sign up for Computerworld eNewsletters.