Lookout has discovered BadNews, a new malware family, in 32 apps across four different developer accounts in Google Play. According to Google Play statistics, the combined affected applications have been downloaded between 2,000,000 – 9,000,000 times.
That’s nine million potential installations. Nine. Million.
It appears that this is delayed attack, with the perpetrator pitching this as an advertising network. And initially, it was. However, some time after the apps hit the play store the traffic was diverted to more nefarious means.
Not only did this malware do some really spammy things, like pushing fake notifications to prompt interactions, but it also carried with it a payload for AlphaSMS. AlphaSMS triggers premium rate SMS messages from your phone.
There’s a clear lesson here. This problem has emerged because genuine developers have included libraries in their apps that pull in content from servers they do not control. They trust the makers of those libraries to only serve adverts. In this case they’re serving malware. The lesson is this, be very careful who you trust.