Google Play apps used to hide 'BadNews' mobile botnet, security firm discovers

Legitimate apps mask command and control

Google's Play store security has once again been embarrassed by the discovery of an ambitious botnet that sneaked past its app vetting systems to infect possibly huge numbers of Android users.

Lookout Mobile Security, which spotted the ruse, said it had tracked down 32 apps that seemed to be tied into what at first looked like just another advertising network with its own SDK, now dubbed 'BadNews'.

The dastardly part is that the apps themselves appear innocent but come with the ability to contact a command and control server in order to push a range of genuinely malicious apps, including the AlphaSMS toll fraud app widely circulated by East European gangs.

In an attempt to remain unnoticed for as long as possible, the designers of BadNews designed the apps to behave legitimately for a period of time before hitting the user with bogus update requests at which point trouble begins.

Roughly half the discovered apps used to distribute BadNews were aimed at Russian speakers and designed to commit toll fraud, Lookout said.

The apps themselves included games and screensavers and were the work of four developers who might or might not be aware that their apps were being used as covers to get BadNews on to smartphones.

The company estimated the number of times potentially malicious apps were downloaded at between two and five million, including updates and earlier versions of apps that weren't malicious.

Not all these downloads will therefore equate to infections but it is clear that large number of users could have been hit by malware from the one location, Google Play, they might reasonably assume to be safe.

Google was informed of the issue and had suspended the developer accounts, Lookout said, but it is hard to escape the uneasy feeling that criminals are successfully targeting Google's Play at will.

"BadNews is a significant development in the evolution of mobile malware because it has achieved very wide distribution by using a server to delay its behaviour," said Lookout researcher, Marc Rogers.

"If an app has not yet engaged in malicious behaviour, a typical app vetting process would of course conclude that it was safe because the malicious behaviour has not yet occurred."

Developers now needed to pay careful attention to the SDKs they used and that even the most innocent-looking apps could still be a backdoor to malicious software, he said.

Earlier this week, security firm NQ Mobile reported that Android malware rose by 163 percent between 2011 and 2012, infecting nearly 33 million devices. Most of these victims were in China, Russia and India.

Join the CSO newsletter!

Error: Please check your email address.

Tags Mobile &ampPersonal TechGoogleNetworkingsecurityLookoutwirelessLookout Mobile Security

More about Google

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place