Researchers have discovered a new family of malware that found its way into legitimate apps inside Google's official store thanks to a malicious advertising network.
The malware was detected in 32 apps across four different developer accounts in Google Play and was downloaded up to nine million times, according to Lookout researchers who dubbed the malware BadNews.
Far fewer users were infected with malicious code.
BadNews “ads” were hosted in a range of apps, from popular games to Russian dictionary apps (about 50 percent of the malicious apps are in Russian).
The fake ads prompted users to download app updates where malware dubbed AlphaSMS was downloaded.
AlphaSMS masqueraded as an app downloader which forced infected devices to send out premium-rate texts.
Google removed the affected apps and suspended the developer accounts associated with the ad network.
BadNews could exfiltrate sensitive information including phone numbers and device unique International Mobile Equipment Identity (IMEI) numbers to a command-and-control server.
“Because it's challenging to get malicious bad code into Google Play, the authors of BadNews created a malicious advertising network as a front that would push malware out to infected devices at a later date in order to pass the app scrutiny,” principal security researcher Marc Rogers said.
"...a typical app-vetting process would, of course, conclude that it was safe because the malicious behavior has not yet occurred.”
The malware outbreak served as a lesson that developers should closely monitor third-party libraries included in their apps, which could put users at risk, Rogers said.
Lookout is working to take down three BadNews command-and-control servers, believed to be based in Russia, Germany and the Ukraine.