Apps contained a "fake" ad network, directed users to install malware disguised as free applications

Yesterday, the folks over at Lookout divulged their latest find. 32 applications, mostly Russian language, were found to contain what Lookout calls "BadNews" -- a new piece of code that facilitates easy installation of malware onto users phones who have it installed. They estimate that apps containing BadNews have been installed over 2,000,000 times. While this is but a small drop compared to the hundreds of millions of Android devices and 25+ Billion apps installed from the Play store, it's still quite the eye popping number.

BadNews is disguised as an ad network. Besides serving ads for other less popular apps containing the BadNews code, it has the ability to send some of your private data (including your phone number and IMEI) to a server. It also displays fake news messages about app updates and links to actual malware that a user could install outside Google Play. 

The offending applications, distributed across four different developer accounts, have been purged from Google Play. If you think you may have been affected, or are running one of the apps, Lookout's security application can assist in identifying the things you need to remove.

We appreciate a well researched and legitimate look at malware like this news, and don't want it to get buried like the so many FUD stories around the Internet that are speculation with no numbers. For a list of the applications, and a look at how this was discovered, click the source link below. Carry past the break for some further discussion.

Source: Lookout

Now to talk a bit about how and why this happened, and what users could have done differently to protect themselves. To start with, over 2,000,000 people downloaded an application from Google Play, and said "yes" when asked if they wanted to allow the downloaded application to have access to their phone number. We understand that all the app permissions can be confusing, and that often there are legitimate reasons for apps to request permissions to sensitive information. But we have to be diligent and read those permissions, every time, and pass on the apps we think have requests that sound fishy. While this means that we'll likely have to pass on a few apps that are innocent, it also means we won't have some spammy app sending all our contact data off to some server in the Russian Federation. This is the price of having an open application store, and while Google can come back and remove apps that have gone wild after they are found, we have to practice a little care of our own.

The second one is a no-brainer. If you click an ad banner that promises an update to an app that you downloaded from Google Play, or directs you to download and install any files to your phone, you have to say no. This is why it was a big deal when Facebook decided to go rogue and update their app in an unapproved manner, and why many folks were calling for their heads and removal of their app from Google Play for doing so. If you allow things like this to happen, nobody can help you. This time, these apps would have been detected by a security app like Lookout, but next time they may not. Just Say No.

It's relatively easy to write malicious code and inject it into an application that users want. It's not so easy to distribute it from Google Play, and as a result we see convoluted methods like BadNews to get the job done. Be diligent, be safe, and whenever you're in doubt ask for advice in the forums. We may be bickering between ourselves over whether Samsung or HTC makes the better phone, but we all work together when a friend is in need.

There are 33 comments

only thousands more to go. Keep up the never ending fight.

Bobert_123 says:

Another reason I love my Z10

still1 says:

half of z10 apps are android apps

Lanhoj says:

And the other half are just links to mobile versions of their websites.

I like my Z10 but the App World selection is horrendous.
On Android I average 25-35$/mos from Play Store content whereas I haven't found content worth even spending 15$ in the past 6 weeks.

Bobert_123 says:

Keep telling yourself that

Bobert_123 says:

Actually it's only 20%, I tend to stay away from those.


You Crackberry trolls are the worst.

12Danny123 says:

I agree. Them spamming wpcentral, Imore androidcentral. Is absolutely idiotic and pathetic

mwara244 says:

Thank god for the z10 and blackberry, thankfully they have barely any apps and aren't popular enough to have to worry about people trying to steal their information from a dying OS brand.

Seriously though, I've known not to download any russian or chinese apps I have been interested in just from common sense ever since i got my D1 in 2010. Just from using the internet we all have seen and heard of russian and chinese hackers always trying to crack our home pc's.

Maybe Google should explain what people are doing by accepting terms to apps and explain it layman terms for those who aren't sure and don't understand why apps need your permissions so they are more informed to what they download and why those apps need to access certain information on your phone.

schrack3000 says:

So you're the one.

chubb says:

Well your not safe on any platform. Remember this that was on BB a few years back? I can't post the link now thanks spammers! But Google the Zeus malware.

So now go troll Crack berry how horrible android is since you don't understand or cant handle device and OS freedom and a uncensored app store. Good day.

TheDu9du says:

Is any body really taking on the cranckberry trolls? For reals.. I think there are more ppl trying to give away a Z10 rather than trying to get one.

return_0 says:

Exactly, how can you get malware from apps when there are no apps at all?

syntulk says:

Google doesn't like it when apps want to emphasize their cheekbones. :(

Can you clarify that comment. Not sure I understand. :(

yoinks says:

Ha! That comment cracked me up. I think he was going for "rogue" rather than "rouge".

lithium98 says:

Anyone who downloads an app with icons that look like that, deserves the malware hell they get themselves into.

anthonycr says:

Never judge an app by its icon. jk, I always judge based on icon

jrmoore10 says:

I think Google is doing a better job at malware control. While it seems that it would sparingly attack US android users, I'm glad to see that the android experience is being protected on a worldwide front. BTW, I'm extremely particular about what apps I download. I often uninstall an app simply because I don't like the icon. These apps would have never stood a chance with me. LOL

Pervbear says:

How about just changing the icon

moosc says:

Don't DL bouncy boob apps

Tigrisan says:

I've had a couple people ask me why I always use Lookout to scan any app I'm installing before the .apk actually installs. This would be why. Lookout has found a couple apps I thought were okay and they had great icons too! ;o)

Seriously though, it only takes an extra couple seconds. Why wouldn't one want to scan first if they had the opportunity? Because if it can be downloaded regardless of the medium, some a$$hat out there will try to exploit it.

bumpandrun says:

Highly agree, I'm a faithful Lookout Premium user.

12Danny123 says:

I really think Google should check their the way Microsoft and apple does it. I understand its like getting rid of of tones of them but its for the best for Google and the user.

my 2 cents

Etios says:


Crisdean says:

Good news for Android users. Currently using a Z10 but intending to add a Note 2 and Galaxy Note Tablet 10.1 or what it's called. Love Android.

deadlock4400 says:

before a app is going to enter googleplay, google must check that app. because it's a technical shame for google as those(may be more) apps are malware !! Millions of people using googleplay apps because those are taking care by google.

Thanks in Advance

Jdroid3 says:

Android Central it would be great if we have a article about what permissions to look for when we download an app out of the Play Store. I'm sure you've probably done this before. We are getting so many new users.

ok, icons for 28 apps and the article says 32. What are the other 4?

TheDu9du says:

Did Sergey himself found this apps? would it be faster to find more of this apps if Google hires more Russian bilinguals. Or do all of them want to work only for Yandex?

Voliam says:

Strange, no comments by the malware app naysayers? Don't need Lookout, et al? Malware not a problem on Android devices?
Others needing advice about what permissions to look for? App can read your contacts, make calls/ send texts without your permission, read phone logs, upload your user information, read all installed apps, determine your location, activate camera without your permission, etc., etc?
All that is self explanatory, and a little common sense determines whether those permissions are necessary for a given app.

toddjy says:

Every app I've ever installed asks for phone state and identity. Nook and Kindle both do.

smij says:

Ok, maybe I'm just missing it, but is there an actual list of the malware apps and not just the icons? I don't recognize the icons, so I'm guessing I don't/didn't have any of them, but I would like to know the names. Anyone have a list of them. Thx.
Also, forgive my ignorance, but if the apps are removed from Play, does that mean they would be removed from the phone or do we still need to go in an uninstall? Thanks in advance for any helpful responses.