Google's Play store security has once again been embarrassed by the discovery of an ambitious botnet that sneaked past its app vetting systems to infect possibly huge numbers of Android users.
Lookout Mobile Security, which spotted the ruse, said it had tracked down 32 apps that seemed to be tied into what at first looked like just another advertising network with its own SDK, now dubbed 'BadNews'.
The dastardly part is that the apps themselves appear innocent but come with the ability to contact a command and control server in order to push a range of genuinely malicious apps, including the AlphaSMS toll fraud app widely circulated by East European gangs.
In an attempt to remain unnoticed for as long as possible, the designers of BadNews designed the apps to behave legitimately for a period of time before hitting the user with bogus update requests at which point trouble begins.
Roughly half the discovered apps used to distribute BadNews were aimed at Russian speakers and designed to commit toll fraud, Lookout said.
The apps themselves included games and screensavers and were the work of four developers who might or might not be aware that their apps were being used as covers to get BadNews on to smartphones.
The company estimated the number of times potentially malicious apps were downloaded at between two and five million, including updates and earlier versions of apps that weren't malicious.
Not all these downloads will therefore equate to infections but it is clear that large number of users could have been hit by malware from the one location, Google Play, they might reasonably assume to be safe.
Google was informed of the issue and had suspended the developer accounts, Lookout said, but it is hard to escape the uneasy feeling that criminals are successfully targeting Google's Play at will.
"BadNews is a significant development in the evolution of mobile malware because it has achieved very wide distribution by using a server to delay its behaviour," said Lookout researcher, Marc Rogers.
"If an app has not yet engaged in malicious behaviour, a typical app vetting process would of course conclude that it was safe because the malicious behaviour has not yet occurred."
Developers now needed to pay careful attention to the SDKs they used and that even the most innocent-looking apps could still be a backdoor to malicious software, he said.
Earlier this week, security firm NQ Mobile reported that Android malware rose by 163 percent between 2011 and 2012, infecting nearly 33 million devices. Most of these victims were in China, Russia and India.
Sign up for Computerworld eNewsletters.