Apps contained a "fake" ad network, directed users to install malware disguised as free applications
Yesterday, the folks over at Lookout divulged their latest find. 32 applications, mostly Russian language, were found to contain what Lookout calls "BadNews" -- a new piece of code that facilitates easy installation of malware onto users phones who have it installed. They estimate that apps containing BadNews have been installed over 2,000,000 times. While this is but a small drop compared to the hundreds of millions of Android devices and 25+ Billion apps installed from the Play store, it's still quite the eye popping number.
BadNews is disguised as an ad network. Besides serving ads for other less popular apps containing the BadNews code, it has the ability to send some of your private data (including your phone number and IMEI) to a server. It also displays fake news messages about app updates and links to actual malware that a user could install outside Google Play.
The offending applications, distributed across four different developer accounts, have been purged from Google Play. If you think you may have been affected, or are running one of the apps, Lookout's security application can assist in identifying the things you need to remove.
We appreciate a well researched and legitimate look at malware like this news, and don't want it to get buried like the so many FUD stories around the Internet that are speculation with no numbers. For a list of the applications, and a look at how this was discovered, click the source link below. Carry past the break for some further discussion.
Now to talk a bit about how and why this happened, and what users could have done differently to protect themselves. To start with, over 2,000,000 people downloaded an application from Google Play, and said "yes" when asked if they wanted to allow the downloaded application to have access to their phone number. We understand that all the app permissions can be confusing, and that often there are legitimate reasons for apps to request permissions to sensitive information. But we have to be diligent and read those permissions, every time, and pass on the apps we think have requests that sound fishy. While this means that we'll likely have to pass on a few apps that are innocent, it also means we won't have some spammy app sending all our contact data off to some server in the Russian Federation. This is the price of having an open application store, and while Google can come back and remove apps that have gone wild after they are found, we have to practice a little care of our own.
The second one is a no-brainer. If you click an ad banner that promises an update to an app that you downloaded from Google Play, or directs you to download and install any files to your phone, you have to say no. This is why it was a big deal when Facebook decided to go rogue and update their app in an unapproved manner, and why many folks were calling for their heads and removal of their app from Google Play for doing so. If you allow things like this to happen, nobody can help you. This time, these apps would have been detected by a security app like Lookout, but next time they may not. Just Say No.
It's relatively easy to write malicious code and inject it into an application that users want. It's not so easy to distribute it from Google Play, and as a result we see convoluted methods like BadNews to get the job done. Be diligent, be safe, and whenever you're in doubt ask for advice in the forums. We may be bickering between ourselves over whether Samsung or HTC makes the better phone, but we all work together when a friend is in need.