Security researchers have unearthed a family of malware for Android-based smartphones that has been downloaded as many as 9 million times from Google Play, the official distribution platform hosted on Google servers.
BadNews, as the library of malicious code has been dubbed, was folded in to at least 32 applications offered by four different developer accounts, according to a blog post published Friday by Android app provider Lookout Mobile Security. Handsets that run the poisoned apps connect to a rogue server every four hours and report several pieces of sensitive information, including the device phone number and its unique serial number, known as an International Mobile Station Equipment Identity. The command and control servers, which were still operational as of Friday, also force some phones to display prompts to install AlphaSMS, a trojan that racks up charges by sending text messages to pricey services.
The people behind the campaign were able to sneak BadNews past Google defenses by adding the malware library to innocuous apps after they had already been submitted to Google Play. That gave the appearance of trustworthiness to measures such Bouncer, the cloud-based service that scours Play for abusive apps. It was only later that the apps were updated to carry out the attacks. Figures provided by Google Play showed the targeted apps had been downloaded from 2 million to 9 million times. It's unclear how many of the downloads involved apps after they had been updated to include BadNews.