The family of Android malware that slipped past security defenses and infiltrated Google Play
is more widespread than previously thought. New evidence shows it was
folded into three additional apps and has been operating for at least 10
months, according to security researchers.
BadNews, as the malicious ad network library is called, has been included in at least 35 different apps that were available on Google servers for download, researchers from antivirus provider Bitdefender said Monday. As Ars reported last week, figures provided by Google showed they had been
downloaded anywhere from two million to nine million times. Although Google had removed 32 apps as of Friday, company security personnel didn't remove the additional three apps until they were flagged this weekend by Bitdefender. Apps that contain the BadNews code upload phone numbers, unique device identifiers, and other data from infected phones and then present end users with prompts to download and install fake updates for legitimate applications such as Skype.
The Bitdefender report came as researchers from security firm Fortinet reported the deactivation of a Google Play developer account that was also pushing a suspicious app.
It's unclear why Google employees removed the additional apps only after Bitdefender discovered them. It's possible that the code uses polymorphism to keep from displaying tell-tale signatures that could be caught by Bouncer, the cloud-based scanning service Google unveiled last year. A more depressing possibility is that the company didn't run a new set of scans on its existing base of offerings after receiving last week's report. Google representatives declined to comment on the record about the Bitdefender report.
"We've been saying for a while that there's aggressive adware that collects your data, collects all kinds of stuff on you, but now you can actually bypass Google security by using the custom-made adware framework," Bitdefender researcher Liviu Arsene told Ars. "As long as I convince enough developers to use my adware framework, I can push any type of content I want through that framework."
Among the malicious apps promoted by BadNews is AlphaSMS, a trojan that racks up charges by sending text messages to pricey services. Arsene said the malicious BadNews code library used to push such apps has been in existence since at least June 2012, although some of the apps that included it didn't initially display the fake update notifications.
"Although it didn't feature the push notification telling users to install fake updates—like the Skype update, for instance—it did have the function built into it," he explained. "It was kind of like someone was testing it but they didn't actually go along and have the malware. Somebody was testing the adware framework before it actually went and disseminated malware."
The revelation that some of the malicious functionality was never activated means that some users infected by BadNews may never have noticed anything awry. Even after a malicious update is displayed on an infected device, the user must specifically choose to download and install it and must have configured the phone to install apps from third-party sources. Still, while many Android users in the US rely solely on Google Play, third-party sources are much more popular in China and other countries. Ultimately, there's no independent way to know just how many end users may have fallen for the ruse.
The takeaway for Android users is to consider running a smartphone antivirus app. The Bitdefender product has been detecting BadNews code since June 2012 as Android.Trojan.InfoStealer.AK, Arsene said. Apps from other AV providers, including Lookout Mobile Security, also detect the BadNews apps. Users should think long and hard before allowing their devices to install apps from sources other than Google Play. The fact that the service has been hosting malicious titles for almost a year suggests this protection is by no means ironclad. Still, it can add an important layer of defense even when malicious apps do sneak past Google defenses.via: ars technica
BadNews, as the malicious ad network library is called, has been included in at least 35 different apps that were available on Google servers for download, researchers from antivirus provider Bitdefender said Monday. As Ars reported last week, figures provided by Google showed they had been
downloaded anywhere from two million to nine million times. Although Google had removed 32 apps as of Friday, company security personnel didn't remove the additional three apps until they were flagged this weekend by Bitdefender. Apps that contain the BadNews code upload phone numbers, unique device identifiers, and other data from infected phones and then present end users with prompts to download and install fake updates for legitimate applications such as Skype.
The Bitdefender report came as researchers from security firm Fortinet reported the deactivation of a Google Play developer account that was also pushing a suspicious app.
It's unclear why Google employees removed the additional apps only after Bitdefender discovered them. It's possible that the code uses polymorphism to keep from displaying tell-tale signatures that could be caught by Bouncer, the cloud-based scanning service Google unveiled last year. A more depressing possibility is that the company didn't run a new set of scans on its existing base of offerings after receiving last week's report. Google representatives declined to comment on the record about the Bitdefender report.
"We've been saying for a while that there's aggressive adware that collects your data, collects all kinds of stuff on you, but now you can actually bypass Google security by using the custom-made adware framework," Bitdefender researcher Liviu Arsene told Ars. "As long as I convince enough developers to use my adware framework, I can push any type of content I want through that framework."
Among the malicious apps promoted by BadNews is AlphaSMS, a trojan that racks up charges by sending text messages to pricey services. Arsene said the malicious BadNews code library used to push such apps has been in existence since at least June 2012, although some of the apps that included it didn't initially display the fake update notifications.
"Although it didn't feature the push notification telling users to install fake updates—like the Skype update, for instance—it did have the function built into it," he explained. "It was kind of like someone was testing it but they didn't actually go along and have the malware. Somebody was testing the adware framework before it actually went and disseminated malware."
The revelation that some of the malicious functionality was never activated means that some users infected by BadNews may never have noticed anything awry. Even after a malicious update is displayed on an infected device, the user must specifically choose to download and install it and must have configured the phone to install apps from third-party sources. Still, while many Android users in the US rely solely on Google Play, third-party sources are much more popular in China and other countries. Ultimately, there's no independent way to know just how many end users may have fallen for the ruse.
The takeaway for Android users is to consider running a smartphone antivirus app. The Bitdefender product has been detecting BadNews code since June 2012 as Android.Trojan.InfoStealer.AK, Arsene said. Apps from other AV providers, including Lookout Mobile Security, also detect the BadNews apps. Users should think long and hard before allowing their devices to install apps from sources other than Google Play. The fact that the service has been hosting malicious titles for almost a year suggests this protection is by no means ironclad. Still, it can add an important layer of defense even when malicious apps do sneak past Google defenses.via: ars technica
Comments
Post a Comment
What do you Think about This Article? Share Your Comments Here