April 19, 2013

The Bearer of BadNews

Lookout has discovered BadNews, a new malware family, in 32 apps across four different developer accounts in Google Play. According to Google Play statistics, the combined affected applications have been downloaded between 2,000,000 – 9,000,000 times. We notified Google and they promptly removed all apps and suspended the associated developer accounts pending further investigation. All Lookout users are protected against this threat.

BadNews masquerades as an innocent, if somewhat aggressive advertising network. This is one of the first times that we’ve seen a malicious distribution network clearly posing as an ad network.  Because it’s challenging to get malicious bad code into Google play, the authors of Badnews created a malicious advertising network, as a front, that would push malware out to infected devices at a later date in order to pass the app scrutiny.

Badnews has the ability to send fake news messages, prompt users to install applications and sends sensitive information such as the phone number and device ID to its Command and Control (C&C) server. BadNews uses its ability to display fake news messages in order to push out other types of monetization malware and promote affiliated apps.

During our investigation we caught BadNews pushing AlphaSMS, well known premium rate SMS fraud malware, to infected devices.

BadNews is a significant development in the evolution of mobile malware because it has achieved very wide distribution by using a server to delay its behavior. If an app has not yet engaged in malicious behavior, a typical app vetting process would of course conclude that it was safe because the malicious behavior has not yet occurred. We have two big takeaways from the appearance of BadNews:

  1. Developers need to pay very close attention to any third-party libraries they include in their applications. Unsafe libraries can put their users and reputation at risk.

  2. Enterprise security managers must assume that even very well designed app-vetting processes will not be able to detect malicious behavior that hasn’t happened yet. Ongoing security monitoring is important to detect malicious behavior that happens some time after an app’s initial evaluation.

About 50% of the identified applications are in Russian and AlphaSMS is designed to commit premium rate SMS fraud in the Russian Federation and neighboring countries such as the Ukraine, Belarus, Armenia and Kazakhstan. It’s worth noting that the people controlling this malware are also using it promote their less popular apps, which also contain BadNews.


The following table provides information about each of the 32 identified malicious apps, including high and low download boundaries.

Screen Shot 2013-04-18 at 9.16.29 PM

Lookout’s Take
BadNews is spun to look like an ordinary advertising network SDK and is hosted in a number of innocuous applications that range from Russian dictionary apps to popular games. It distributes the exact same malware that we have observed across a number of shady affiliate-based marketing websites. In addition, we found BadNews promoting other less popular affiliated apps, including a Russian diet app which also contained the BadNews.

It is not clear whether some or all of these apps were launched with the explicit intent of hosting BadNews or whether legitimate developers were duped into installing a malicious advertising network. However, based on our analysis of the backend code behind a number of these purported ad networks there is little doubt that BadNews is a fraudulent monetization SDK.

How it Works
Once activated, BadNews polls its C&C server every four hours for new instructions while pushing several pieces of sensitive information including the device’s phone number and its serial number (IMEI) up to the server.

The C&C server replies with instructions telling BadNews what to do next. Available instructions include displaying (fake) news to users, and prompting for installation of a downloaded app payload.

An example of a “news” response is shown below:


The Russian text roughly translates to “Critical Update to Vkontakte,” implying an available update to a popular Russian Social Networking app. We have also observed available “update” prompts for Skype.

In each case, the URL points to a download for the prolific AlphaSMS toll fraud app, which purports to install freely available software, but actually results in fraudulent charges via Premium SMS.

We have enumerated the majority of available download URLs and determined that most endpoints lead to the download of AlphaSMS. Others lead to cross-promotion of other infected apps on Google Play.

The APKs themselves have names such as skype_installer.apk, mail.apk, and vkontakte_installer.apk in an attempt to trick the user into accepting the permissions requested during APK installation and also line up with the text in the news article about this being part of a critical update.

Further, it is clear that a substantial amount of code in BadNews has previously appeared in other families associated with Eastern European toll fraud. The figure below summarizes the similarity of package structure, class names, method names and variables between BadNews and RuPaidMarket.m.

Screen Shot 2013-04-18 at 10.38.15 PM

Command & Control Servers

We have identified three C&C servers, one in Russia, one in the Ukraine, and one in Germany. All C&C servers are currently live but Lookout is working to bring them down.

How to Stay Safe

  • Make sure the Android system setting ‘Unknown sources’ is unchecked to prevent dropped or drive-by-download app installs.

  • Download a mobile security app like Lookout’s app that protects against malware as a first line of defense.

Looking for more information on mobile threats like BadNews? Check out Lookout’s Top Threats resource.

  1. Paul says:

    Good thing Google / Spydroid blocked AdBlock from the Play store recently.

    It’s just a shame that Google’s hunger/greed for ad revenue is so great that they have to rely on third parties to identify spam installed on millions of devices.

    Focus on MONETIZING the user, indeed.

  2. Charlie says:

    “Once activated, BadNews polls its C&C server every four hours for new instructions while pushing several pieces of sensitive information including the device’s phone number and its serial number (IMEI) up to the server.” No that cant be a bad thing, crapogenmod does the same thing and they say it’s a good thing.

  3. Jake says:

    Nooo not bottle shoot!

  4. Do you have any mentorship available this summer for a rising high school senior? We have family in San Francisco and a son looking at UCSD for software engineering. He mentored at BIS (askbis dot com) locally as a rising high school junior last year. He’s on track for a comp-sci distinction to his diploma; presently completing level 3 Java, an a college-freshman level survey course among other requisites. Last summer he quickly proved himself useful and mature beyond his years to the team at BIS. // Any mentorship this summer would include his parents accompanying him to SFCA, providing meals, transportation and lodging for his workload, while we parents day-tour. // If not summer of 2013, how about same arrangement over winter holiday, spring 2014 holiday, or summer 2014??

  5. Harold says:

    Thank you… Very informative and I’ve been using Lookout for the last several years and am pleased with the program.

    Sincerely, Harold

  6. onbev3 says:

    I`m have this virus 2 months back . I`m deleted it . Need go to https://accounts.google.com/IssuedAuthSubTokens on your account how you use to Android .And possibly disable all apps

  7. onbev3 says:

    especially the double apps

  8. Kim says:

    Thank you I have Lookout on my new phone and feel more relaxed, knowing I am protected.

  9. Appatize says:

    A quick search on the Play Store shows that the last developer in the list, with the biggest app, is still live – https://play.google.com/store/apps/details?id=ru.blogspot.playsib.catchthefly

    Same package name as “Savage Knife”…

    Also, is there a way to know which “ad network” distributed this SDK? Are they still up and running??


  10. Simon Cohen says:

    All this is highly interesting and I have Lookout installed and Unknown sources unchecked. What could be done to check if the installed apps (not within the 32 known) are not already contamined? Thanks for answer.

  11. Marc Montour says:

    The problem for me is that Lookout will only protect 3 of my Android devices, and I have more. My Android TV boxes need protection too, but I cannot yet get them protected by Lookout. I am very happy with the app on the devices that have it running, and now feel safer for those.

  12. asdf says:

    FYI: Settings>Applications>”‘Unknown sources’ is unchecked”

  13. 8ohmh says:


    what’s about the libraries paked in the apk. Got a specimen which has also a x86 library. What do you know

  14. Ali says:

    I am writing about BadNews in my master’s thesis. my supervisor says that i have to refer to the actual google play statistics that says 9 million time it has been downloaded. Iwas wondering if you could tell me how to get the report from google.

  15. Ann says:

    Lookout let me down when I needed it!!!
    About 2 weeks ago I lost my phone on the bus. At around 9:00 AM I used some else’s phone to call my husband to tell him to activate the Lookout. He did this off and on all day. Lookout did NOT sound off the siren to tell the holder that it was being searched for, and it gave us the wrong information as to it’s location. Lookout was stating that my phone was in my house, when in fact it was at the bus station.

    Lookout did NOT help me locate my phone as guaranteed, nor did it scream/send out it’s alarm.
    I guess I need to rely upon the kindness and honesty of the general public, because I was NOT able to rely upon the help of Lookout; THE phone security company.
    Signed, Highly Displeased Customer

Leave a comment