Cyber scammers fake out Google Play with bogus ad network

Bad guys loaded Google Play with 32 Android apps that, once installed, pull malicious payloads from remote servers

For all of Google's efforts to maintain a malware-free mobile app store, the bad guys remain one step ahead. In the latest instance, innovative cyber scammers bypassed Google's scrutiny by creating a bogus advertising network, dubbed BadNews, designed to push malware to devices loaded with seemingly secure applications only after they've been installed, according to mobile security company Lookout.

"BadNews masquerades as an innocent, if somewhat aggressive, advertising network. This is one of the first times that we've seen a malicious distribution network clearly posing as an ad network," wrote Lookout principal security researcher Marc Rogers. "[It's] a significant development in the evolution of mobile malware because it has achieved very wide distribution by using a server to delay its behavior."

Lookout reported finding 32 English and Russian apps that were part of the BadNews family. They had been collectively downloaded as many as 9 million times before the company alerted Google to the threat. Google responded by removing the apps and suspending the four associated developer accounts.

Cyber scammers fake out Google Play with bogus ad network

BadNews is groomed to look like an ordinary advertising network SDK, according to Lookout, and it's hosted in a number of innocuous applications, ranging from a Russian dictionary to popular games like Savage Knife, Bottle Shoot, True or False, and Stupid Birds. There were also wallpaper apps, a thesaurus, and a telephone network tool on the list. "It is not clear whether some or all of these apps were launched with the explicit intent of hosting BadNews or whether legitimate developers were duped into installing a malicious advertising network," Rogers wrote.

When a user installs on of these apps onto his or her device, the app will connect with a command-and-control server to deliver malware. It will also send phone number and device ID to the C&C server. "BadNews uses its ability to display fake news messages in order to push out other types of monetization malware and promote affiliated apps," according to Rogers.

Lookout identified three C&C servers: one in Russia, one in the Ukraine, and one in Germany.

Rogers cautioned developers, users, and IT managers to take heed of this approach to spreading malware. "Developers need to pay very close attention to any third-party libraries they include in their applications. Unsafe libraries can put their users and reputation at risk," he wrote.

He also cautioned enterprise security managers not to take app stores' app-vetting processes for granted. "Ongoing security monitoring is important to detect malicious behavior that happens some time after an app's initial evaluation," he wrote.

Rogers also recommended that users make sure that their "Unknown sources" setting is unchecked, so as to prevent dropped or drive-by-download app installs.

This story, "Cyber scammers fake out Google Play with bogus ad network," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.

Copyright © 2013 IDG Communications, Inc.