April 19, 2013

The Bearer of BadNews

Overview
Lookout has discovered BadNews, a new malware family, in 32 apps across four different developer accounts in Google Play. According to Google Play statistics, the combined affected applications have been downloaded between 2,000,000 – 9,000,000 times. We notified Google and they promptly removed all apps and suspended the associated developer accounts pending further investigation. All Lookout users are protected against this threat.

BadNews masquerades as an innocent, if somewhat aggressive advertising network. This is one of the first times that we’ve seen a malicious distribution network clearly posing as an ad network.  Because it’s challenging to get malicious bad code into Google play, the authors of Badnews created a malicious advertising network, as a front, that would push malware out to infected devices at a later date in order to pass the app scrutiny.

Badnews has the ability to send fake news messages, prompt users to install applications and sends sensitive information such as the phone number and device ID to its Command and Control (C&C) server. BadNews uses its ability to display fake news messages in order to push out other types of monetization malware and promote affiliated apps.

During our investigation we caught BadNews pushing AlphaSMS, well known premium rate SMS fraud malware, to infected devices.

BadNews is a significant development in the evolution of mobile malware because it has achieved very wide distribution by using a server to delay its behavior. If an app has not yet engaged in malicious behavior, a typical app vetting process would of course conclude that it was safe because the malicious behavior has not yet occurred. We have two big takeaways from the appearance of BadNews:

  1. Developers need to pay very close attention to any third-party libraries they include in their applications. Unsafe libraries can put their users and reputation at risk.

  2. Enterprise security managers must assume that even very well designed app-vetting processes will not be able to detect malicious behavior that hasn’t happened yet. Ongoing security monitoring is important to detect malicious behavior that happens some time after an app’s initial evaluation.

Impact
About 50% of the identified applications are in Russian and AlphaSMS is designed to commit premium rate SMS fraud in the Russian Federation and neighboring countries such as the Ukraine, Belarus, Armenia and Kazakhstan. It’s worth noting that the people controlling this malware are also using it promote their less popular apps, which also contain BadNews.

BadNewsMalwareLookout

The following table provides information about each of the 32 identified malicious apps, including high and low download boundaries.

Screen Shot 2013-04-18 at 9.16.29 PM

Lookout’s Take
BadNews is spun to look like an ordinary advertising network SDK and is hosted in a number of innocuous applications that range from Russian dictionary apps to popular games. It distributes the exact same malware that we have observed across a number of shady affiliate-based marketing websites. In addition, we found BadNews promoting other less popular affiliated apps, including a Russian diet app which also contained the BadNews.

It is not clear whether some or all of these apps were launched with the explicit intent of hosting BadNews or whether legitimate developers were duped into installing a malicious advertising network. However, based on our analysis of the backend code behind a number of these purported ad networks there is little doubt that BadNews is a fraudulent monetization SDK.

How it Works
Once activated, BadNews polls its C&C server every four hours for new instructions while pushing several pieces of sensitive information including the device’s phone number and its serial number (IMEI) up to the server.

The C&C server replies with instructions telling BadNews what to do next. Available instructions include displaying (fake) news to users, and prompting for installation of a downloaded app payload.

An example of a “news” response is shown below:

FakeNewsResponse

The Russian text roughly translates to “Critical Update to Vkontakte,” implying an available update to a popular Russian Social Networking app. We have also observed available “update” prompts for Skype.

In each case, the URL points to a download for the prolific AlphaSMS toll fraud app, which purports to install freely available software, but actually results in fraudulent charges via Premium SMS.

We have enumerated the majority of available download URLs and determined that most endpoints lead to the download of AlphaSMS. Others lead to cross-promotion of other infected apps on Google Play.

The APKs themselves have names such as skype_installer.apk, mail.apk, and vkontakte_installer.apk in an attempt to trick the user into accepting the permissions requested during APK installation and also line up with the text in the news article about this being part of a critical update.

Further, it is clear that a substantial amount of code in BadNews has previously appeared in other families associated with Eastern European toll fraud. The figure below summarizes the similarity of package structure, class names, method names and variables between BadNews and RuPaidMarket.m.

Screen Shot 2013-04-18 at 10.38.15 PM

Command & Control Servers

We have identified three C&C servers, one in Russia, one in the Ukraine, and one in Germany. All C&C servers are currently live but Lookout is working to bring them down.

How to Stay Safe

  • Make sure the Android system setting ‘Unknown sources’ is unchecked to prevent dropped or drive-by-download app installs.

  • Download a mobile security app like Lookout’s app that protects against malware as a first line of defense.

Looking for more information on mobile threats like BadNews? Check out Lookout’s Top Threats resource.

6 comments
  1. Paul says:

    Good thing Google / Spydroid blocked AdBlock from the Play store recently.

    It’s just a shame that Google’s hunger/greed for ad revenue is so great that they have to rely on third parties to identify spam installed on millions of devices.

    Focus on MONETIZING the user, indeed.

  2. Charlie says:

    “Once activated, BadNews polls its C&C server every four hours for new instructions while pushing several pieces of sensitive information including the device’s phone number and its serial number (IMEI) up to the server.” No that cant be a bad thing, crapogenmod does the same thing and they say it’s a good thing.

  3. Jake says:

    Nooo not bottle shoot!

  4. Harold says:

    Thank you… Very informative and I’ve been using Lookout for the last several years and am pleased with the program.

    Sincerely, Harold

  5. Kim says:

    Thank you I have Lookout on my new phone and feel more relaxed, knowing I am protected.

  6. Appatize says:

    A quick search on the Play Store shows that the last developer in the list, with the biggest app, is still live – https://play.google.com/store/apps/details?id=ru.blogspot.playsib.catchthefly

    Same package name as “Savage Knife”…

    Also, is there a way to know which “ad network” distributed this SDK? Are they still up and running??

    Thanks!

Leave a comment