Newly Discovered Android Malware Was Downloaded Millions Of Times

Security firm Lookout has detailed a clever new bit of Android Malware lurking in the Google Play store. The good news: unless you’re downloading questionable Russian clone apps, you’re probably not affected. The bad news: that hasn’t kept it from being downloaded a few million times.

The new malware, fittingly dubbed “BadNews”, has been spotted tucked into 32 different apps from 4 separate developer accounts. Since Google Play only gives download numbers as huge ranges, no one can say exactly how many devices this has affected. With the lowball estimates, it’s around two million. On the high end, it’s as many as nine million. In reality, it’s somewhere in between the two.

As the BadNews bug appears to have been distributed as an ad framework for developers to use, it’s unclear how many of the infected apps were built primarily for malicious reasons. It’s quite possible that some of the apps were built by well-meaning developers who just made a bad decision on an ad provider.

While Google has been making an effort to crackdown on malware with things like Bouncer (which constantly scans the Play store’s apps for telltale signs of malware), it’s a never-ending (and very much uphill) battle. BadNews snuck into the store by posing as an ad network, only firing off the nasty bits of code by way of remote signal once it had found its way onto a bunch of devices.

So, what makes BadNews bad news? It does at least two things you’d probably rather your phone didn’t do:

  • Fakes alerts encouraging you to download other infected apps, as well as things like AlphaSMS, which hijacks your phone and silently signs it up for premium SMS services
  • Sends your phone number and unique device i.d (the IMEI) back to the malware’s mothership

bad news

LookOut has the full list of known affected apps, with over half of them targeted at Russian users. The most popular, by far, is “Savage Knife”, a game meant to simulate 5 Finger Fillet — or, as it’s better known, “that dumb game where you try not to cut off your finger”. By the time it was pulled from the store yesterday, it had somewhere between one and five million installs.

Following LookOut’s report, Google has pulled all 32 known-infected apps for the store.

Malware? On Android?!

Preposterous. Wait, no. That’s not the word I’m looking for.