There’s BadNews, and There’s Really Bad News

There’s BadNews, and There’s Really Bad News

By now you’ve probably heard about BadNews, a malware family that is targeting Android phones. In a blog post of April 19, the security firm Lookout reported that it had discovered BadNews in 32 apps across 4 different developer accounts in Google Play. Lookout reported its findings to Google, and the apps (and developers) have subsequently been removed from the app store—but not before millions of people downloaded the affected applications.

BadNews poses as an ad network that gets embedded into various applications. At first look, BadNews appears to be legitimate, but upon thorough inspection, Lookout concluded that the code evades the vetting process for malicious apps by delaying its nefarious activity. That is, it appears to be harmless when it is first installed. When activated, however, BadNews checks in with a Command & Control (C&C) server to await instructions. Meanwhile, the code collects the device’s phone number and serial number (known as the IMEI) and sends this sensitive information to the C&C server, effectively making the phone part of a botnet.

The fact that BadNews masquerades as a legitimate ad network is troubling. If you read my earlier post about what information some mobile apps collect, you’ll recall that many app developers freely choose to embed ad networks into their apps in order to make money while offering the app at low or no cost. If BadNews poses as a legitimate ad network and it offers sufficient incentives to developers, this malicious code could end up in a lot more than 32 applications from 4 measly developers. In fact, we have no way of knowing if that isn’t already the case and that’s the really bad news: there could be a lot more apps out there with embedded malware and no one is the wiser…yet.

Just as malware on the desktop has reached levels of high sophistication, this code shows signs of mobile malware reaching new levels of sophistication. It has been designed to pass the vetting stage of app stores like Google Play, so people think the apps are safe because, at least initially, there is no malicious behavior. What’s more, BadNews has been successful in delivering its payload and collecting sensitive information. Success breeds success, so even if 32 apps have been banished from Google Play, 32 hundred will pop up to take their place.

Individuals and enterprises should take away a few lessons from Lookout’s discovery of BadNews.

For individuals, Lookout provides a few good tips:

  • Make sure the Android system setting “Unknown sources” is unchecked to prevent dropped or drive-by-download app installations.
  • Download a mobile security app that protects against malware as a first line of defense.

For enterprises that allow bring-your-own-device (BYOD) computing:

  • Consider installing a mobile security solution on workers’ phones that completely separates personal from corporate applications and data. There are numerous “wrappers” and “sandboxes” that can do this. Then your corporate data should remain secure, no matter what happens on the personal side of the phone.

We haven’t seen the last of BadNews or its many eventual derivatives. Eradicating 32 malicious apps is like busting the small-time drug dealer on the corner while the big cartels go untouched—it’s a nice effort but the impact is minimal; there’s plenty more havoc to be delivered in the future.

For more details about BadNews and how it operates, read the full Lookout blog post on the topic. It was written by Marc Rogers. Thanks, Marc, for giving us fair warning about this malware.