April 19, 2013

The Bearer of BadNews

Lookout has discovered BadNews, a new malware family, in 32 apps across four different developer accounts in Google Play. According to Google Play statistics, the combined affected applications have been downloaded between 2,000,000 – 9,000,000 times. We notified Google and they promptly removed all apps and suspended the associated developer accounts pending further investigation. All Lookout users are protected against this threat.

BadNews masquerades as an innocent, if somewhat aggressive advertising network. This is one of the first times that we’ve seen a malicious distribution network clearly posing as an ad network.  Because it’s challenging to get malicious bad code into Google play, the authors of Badnews created a malicious advertising network, as a front, that would push malware out to infected devices at a later date in order to pass the app scrutiny.

Badnews has the ability to send fake news messages, prompt users to install applications and sends sensitive information such as the phone number and device ID to its Command and Control (C&C) server. BadNews uses its ability to display fake news messages in order to push out other types of monetization malware and promote affiliated apps.

During our investigation we caught BadNews pushing AlphaSMS, well known premium rate SMS fraud malware, to infected devices.

BadNews is a significant development in the evolution of mobile malware because it has achieved very wide distribution by using a server to delay its behavior. If an app has not yet engaged in malicious behavior, a typical app vetting process would of course conclude that it was safe because the malicious behavior has not yet occurred. We have two big takeaways from the appearance of BadNews:

  1. Developers need to pay very close attention to any third-party libraries they include in their applications. Unsafe libraries can put their users and reputation at risk.

  2. Enterprise security managers must assume that even very well designed app-vetting processes will not be able to detect malicious behavior that hasn’t happened yet. Ongoing security monitoring is important to detect malicious behavior that happens some time after an app’s initial evaluation.

About 50% of the identified applications are in Russian and AlphaSMS is designed to commit premium rate SMS fraud in the Russian Federation and neighboring countries such as the Ukraine, Belarus, Armenia and Kazakhstan. It’s worth noting that the people controlling this malware are also using it promote their less popular apps, which also contain BadNews.


The following table provides information about each of the 32 identified malicious apps, including high and low download boundaries.

Screen Shot 2013-04-18 at 9.16.29 PM

Lookout’s Take
BadNews is spun to look like an ordinary advertising network SDK and is hosted in a number of innocuous applications that range from Russian dictionary apps to popular games. It distributes the exact same malware that we have observed across a number of shady affiliate-based marketing websites. In addition, we found BadNews promoting other less popular affiliated apps, including a Russian diet app which also contained the BadNews.

It is not clear whether some or all of these apps were launched with the explicit intent of hosting BadNews or whether legitimate developers were duped into installing a malicious advertising network. However, based on our analysis of the backend code behind a number of these purported ad networks there is little doubt that BadNews is a fraudulent monetization SDK.

How it Works
Once activated, BadNews polls its C&C server every four hours for new instructions while pushing several pieces of sensitive information including the device’s phone number and its serial number (IMEI) up to the server.

The C&C server replies with instructions telling BadNews what to do next. Available instructions include displaying (fake) news to users, and prompting for installation of a downloaded app payload.

An example of a “news” response is shown below:


The Russian text roughly translates to “Critical Update to Vkontakte,” implying an available update to a popular Russian Social Networking app. We have also observed available “update” prompts for Skype.

In each case, the URL points to a download for the prolific AlphaSMS toll fraud app, which purports to install freely available software, but actually results in fraudulent charges via Premium SMS.

We have enumerated the majority of available download URLs and determined that most endpoints lead to the download of AlphaSMS. Others lead to cross-promotion of other infected apps on Google Play.

The APKs themselves have names such as skype_installer.apk, mail.apk, and vkontakte_installer.apk in an attempt to trick the user into accepting the permissions requested during APK installation and also line up with the text in the news article about this being part of a critical update.

Further, it is clear that a substantial amount of code in BadNews has previously appeared in other families associated with Eastern European toll fraud. The figure below summarizes the similarity of package structure, class names, method names and variables between BadNews and RuPaidMarket.m.

Screen Shot 2013-04-18 at 10.38.15 PM

Command & Control Servers

We have identified three C&C servers, one in Russia, one in the Ukraine, and one in Germany. All C&C servers are currently live but Lookout is working to bring them down.

How to Stay Safe

  • Make sure the Android system setting ‘Unknown sources’ is unchecked to prevent dropped or drive-by-download app installs.

  • Download a mobile security app like Lookout’s app that protects against malware as a first line of defense.

Looking for more information on mobile threats like BadNews? Check out Lookout’s Top Threats resource.

Category:   Alerts
April 16, 2013

John Hering Demos How Easy it is to Hack a Phone at D: Dive into Mobile

Live from the All Things D Conference, D: Dive into Mobile, our CEO, John Hering (@johnhering on Twitter), demonstrated how easy it can be for your phone to be hacked.

“We’re starting to see a fundamental shift in the attacks on mobile devices in the post-PC era.” said John.


John showed how spoofed email can be used as a first step to compromise a targeted victim’s phone. During the hack, he downloaded what appeared to be a legitimate app recommended by a friend in an email, but spyware was hiding in a repackaged version of the app. Once the app was installed, it silently sent inbound text messages from his phone straight to the attacker’s phone. Also concerning, the hacked text messages could be used to access a Gmail account using two-factor authentication.

John’s demo highlights how effective social engineering tactics can be — even with the savviest smartphone users. To counter the risk, there are several simple ways people can stay safe:

  • Be careful of links from email, text message and social networking sites that ask you to download or install something.

  • Only download apps from trusted sources, like the Google Play Store and Apple App Store.

  • Review the app permissions before downloading an app and make sure they match the functionality of the app.
Category:   Lookout News
April 12, 2013

5 Tech Gadgets to Get Excited About

The fact that the PC doesn’t need to be part of the new computing equation is worth taking note. Game changing technological innovation is no longer limited to what features stand out in the latest operating systems or how fast the next generation of processors will be — it’s about finding ways to enhance the way we function as we go about our daily routines. And hey, looking really cool in the process isn’t bad either. Here’s five tech gadgets we think you should get excited about:

Category:   Mobile Tips + Tricks
April 10, 2013

Sibling Rivalry: The Ackposts Family.

There are 11 known variants and of the Ackposts family with others, as yet undiscovered, lurking in cyberspace. This blog post covers two of those variants, .j and .k, that we analyzed last week.

While they share the same parents, and familial traits in code structure and behaviour are immediately obvious, these two siblings are quite different in character:

Ackposts.k masquerades as an innocent Manga reader that promises “All you can read Manga” to anyone that downloads it. However, once it’s run by the unsuspecting user, all pretence of innocence ends.

Like the rest of its family, Ackposts.k is currently only found in the Japanese market.

“All you can read Manga”

How it Works
Just like every other member of the Ackposts family, this malware is stand-alone.  It is very simple, containing only three classes that perform the malicious actions, before finally opening a webview containing the threatening text.  Interestingly, some unused assets hint that Ackposts.k is a heavily-modified version of an earlier app.

As with all of its kin, once executed by its victim, this malware has 3 simple objectives:

  1. It uploads all of its victim’s contacts and account information to a hardcoded web URL. In this case, the hardcoded URL is a virtual server instance within a popular cloud computing provider.

  2. It spams every contact in the addressbook with a download link that points to a new copy of this malware.

  3. Attempts to extort money out of the victim.

Ackposts.k appears to use a “bait and switch” strategy with its victims. The victim is pulled in with what looks like an ordinary Manga reader which when executed unexpectedly informs the victim that they have actually just subscribed to adult films featuring “Sex with mother” and then threatens that this subscription will be broadcast to every contact in their address book unless they pay the service charge. As the payment screen is in fact just a web contact form we were unable to ascertain whether this was a genuine payment mechanism or just some sort of cruel joke.


Screen Shot 2013-04-10 at 10.09.37 AM

Screen Shot 2013-04-10 at 10.10.36 AM

Ackposts.j also masquerades as an innocent application, but where Ackposts.k is darkly malicious, this member of the Ackposts appears to have a sense of humor: Ackposts.j is disguised as an “Infrared X-ray” application which promises to give you the ability to see through people’s clothes in similar fashion to the infamous Sony “Infrared nightshot” camera from 1998.

How it Works
Ackposts.j shares the same, simple three class structure common to all of the Ackposts family and uses the same process flow, before finally displaying the pictures seen in the walkthrough below.

Once activated this malware has the same high level objectives as its siblings:

  1. It uploads all of its victim’s contacts to a hardcoded web URL.

  2. It spams every contact in the address book with a download link that points to a new copy of this malware.

  3. It taunts the victim.

  4. It exits after displaying a fake Android error messag


Screen Shot 2013-04-10 at 10.06.15 AM
Screen Shot 2013-04-10 at 10.07.59 AM

Lookout’s Take
These two variants of Ackposts show how different children of the same malware family can appear to be.

Under the hood, these variants share the same DNA – the code is very similar, with the same function names, similar structure, and almost identical user experience flow. This leads us to believe that these variants are being produced by the same malware authors in an attempt to sweat as much value out of their asset as they can.

Ackposts.k is not the first piece of “blackmail ransomware” that we have seen on the Android platform, that distinction goes to FakeTimer, which also used the threat of imminent embarrassment

This type of scam is also not that unusual in Japan. The Japanese PC market in particular has seen this kind of ransomware before with malware such as the Kenzero Trojan identified by Trend Micro in 2010.

The use of cloud computing providers for malware command and control infrastructure is unusual but not unheard of. The simple fact is, malware authors will gladly use whichever cheap or free online resources they find, moving on to a new provider when that resource expires.

Who is Affected?
The Ackposts family appears to be limited to the Japanese market and infection numbers are low for all variants. The risk of infection consequently is very low.

Lookout users are protected from ALL variants of the Ackposts family.

As with all these threats, Lookout worked to take down the C&C servers for both variants, neutralising the malware and protecting the privacy of future victims.

The first Ackposts variant was discovered by Symantec in 2012.

Category:   Alerts