Skip to main content

New malicious apps found in Google Play

The family of Android malware that slipped past security defenses and infiltrated Google Play is more widespread than previously thought. New evidence shows it was folded into three additional apps and has been operating for at least 10 months, according to security researchers.
BadNews, as the malicious ad network library is called, has been included in at least 35 different apps that were available on Google servers for download, researchers from antivirus provider Bitdefender said Monday. As Ars reported last week, figures provided by Google showed they had been
downloaded anywhere from two million to nine million times. Although Google had removed 32 apps as of Friday, company security personnel didn't remove the additional three apps until they were flagged this weekend by Bitdefender. Apps that contain the BadNews code upload phone numbers, unique device identifiers, and other data from infected phones and then present end users with prompts to download and install fake updates for legitimate applications such as Skype.
The Bitdefender report came as researchers from security firm Fortinet reported the deactivation of a Google Play developer account that was also pushing a suspicious app.
It's unclear why Google employees removed the additional apps only after Bitdefender discovered them. It's possible that the code uses polymorphism to keep from displaying tell-tale signatures that could be caught by Bouncer, the cloud-based scanning service Google unveiled last year. A more depressing possibility is that the company didn't run a new set of scans on its existing base of offerings after receiving last week's report. Google representatives declined to comment on the record about the Bitdefender report.
"We've been saying for a while that there's aggressive adware that collects your data, collects all kinds of stuff on you, but now you can actually bypass Google security by using the custom-made adware framework," Bitdefender researcher Liviu Arsene told Ars. "As long as I convince enough developers to use my adware framework, I can push any type of content I want through that framework."
Among the malicious apps promoted by BadNews is AlphaSMS, a trojan that racks up charges by sending text messages to pricey services. Arsene said the malicious BadNews code library used to push such apps has been in existence since at least June 2012, although some of the apps that included it didn't initially display the fake update notifications.
"Although it didn't feature the push notification telling users to install fake updates—like the Skype update, for instance—it did have the function built into it," he explained. "It was kind of like someone was testing it but they didn't actually go along and have the malware. Somebody was testing the adware framework before it actually went and disseminated malware."
The revelation that some of the malicious functionality was never activated means that some users infected by BadNews may never have noticed anything awry. Even after a malicious update is displayed on an infected device, the user must specifically choose to download and install it and must have configured the phone to install apps from third-party sources. Still, while many Android users in the US rely solely on Google Play, third-party sources are much more popular in China and other countries. Ultimately, there's no independent way to know just how many end users may have fallen for the ruse.
The takeaway for Android users is to consider running a smartphone antivirus app. The Bitdefender product has been detecting BadNews code since June 2012 as Android.Trojan.InfoStealer.AK, Arsene said. Apps from other AV providers, including Lookout Mobile Security, also detect the BadNews apps. Users should think long and hard before allowing their devices to install apps from sources other than Google Play. The fact that the service has been hosting malicious titles for almost a year suggests this protection is by no means ironclad. Still, it can add an important layer of defense even when malicious apps do sneak past Google defenses.via: ars technica

Comments

Popular posts from this blog

LG’s first flexible OLED phone due before the year is out

LG plans to launch a flexible OLED smartphone before the end of the year, the company’s VP of mobile has confirmed, though it’s unclear to what extent the work-in-progress handset will actually flex. The OLED panel in question is the handiwork of LG Display according to VP of LG mobile Yoon Bu-hyun, the WSJ  reports, with the proposed device set to launch sometime in Q4. LG Display’s work on flexible OLEDs has been underway for some time, though the company’s efforts have perhaps been overshadowed somewhat by rival Samsung’s YOUM development. Last year, according to a Korea Times report, LG Display was preparing for

Syrian Electronic Army claims credit for CBS Twitter accounts hack

Yesterday, several of CBS ’s Twitter accounts were hacked, including its main account, and its accounts for 60 Minutes, 48 Hours, and CBS Denver. The hackers got into the account and tweeted a series of things relating to President Obama and the United States being in cahoots with Al-Qaeda . The tweets also had links that led users to malware-infested sites. While CBS was able to regain access to its accounts, it was unable to figure out who was behind the attacks, until now. The Syrian Electronic Army , the same group that hacked 3 of the BBC’s Twitter accounts, claimed

Can Technology Do a Better Job of Finding Bombs?

 With the horrifying images of the Boston Marathon bombing still much too fresh in our minds, and with citywide marathons coming up this weekend in London, Hamburg, and Salt Lake City , law enforcement officers and citizens everywhere are asking how to prevent the tragedy from being repeated. As Columbia University School of International and Public Affairs adjunct professor Abraham Wagner observed last year, on the 11th anniversary of 9/11, there’s “no magic bullet o