Lookout security has uncovered a new Android family of malware that has infected between two and 10 million machines using malicious Play Store apps. The mobile security vendor reported linking the "BadNews" malware to a bogus advertising network in a blog post on Friday.
"BadNews masquerades as an innocent, if somewhat aggressive advertising network. This is one of the first times that we've seen a malicious distribution network clearly posing as an ad network," wrote Lookout's Marc Rogers.
Rogers said that by embedding the malware in the advertising network used in the apps, rather than the apps themselves, the criminals bypass Google's Bouncer scanner.
"Because it's challenging to get malicious bad code into Google Play, the authors of BadNews created a malicious advertising network, as a front, that would push malware out to infected devices at a later date in order to pass the app scrutiny," wrote Rogers.
The malware has the ability to send fake messages from the infected phone and is linked to a number of premium rate SMS scams.
"BadNews has the ability to send fake news messages, prompt users to install applications and sends sensitive information such as the phone number and device ID to its command and control (C&C) server," wrote Rogers.
"BadNews uses its ability to display fake news messages in order to push out other types of monetisation malware and promote affiliated apps. During our investigation we caught BadNews pushing AlphaSMS, well known premium rate SMS fraud malware, to infected devices."
Lookout said that the majority of apps hosting BadNews are Russian and that command and control servers are likely in the same region.
"We have identified three C&C servers, one in Russia, one in the Ukraine, and one in Germany. All C&C servers are currently live but Lookout is working to bring them down," wrote Rogers
"About 50 percent of the identified applications are in Russian and AlphaSMS is designed to commit premium rate SMS fraud in the Russian Federation and neighbouring countries such as the Ukraine, Belarus, Armenia and Kazakhstan."
The security firm confirmed it is working to mount a takedown operation, shutting down the BadNews malware's servers. If successful the firm will join Microsoft, Symantec and Trend Micro. All three firms have also participated in take down operations this year with Symantec and Microsoft famously helping shut down the Bamital botnet and Trend Micro helped Spanish police take down the Reveton ransomware.
Microsoft receives a 30 per cent cut of all purchases on the Xbox digital store
Credit card thieves used Apple ID accounts to buy and sell virtual currency for Clash of Clans and Clash Royale and Marvel Contest of Champions
$5.1bn fine further evidence that the EU is anti-US, claims Trump
New cable will connect Virginia to France