Android malware scores nine million downloads with fake ad network SDK

Android malware scores nine million downloads with fake ad network SDK

Summary: Attackers have found a side route to Android users that follow the good practice of only downloading apps from Google’s official store.


Makers of Android malware have developed an ad network SDK that pushes malicious software through seemingly innocuous apps.

Google has suspended several accounts associated with 32 apps on Google Play containing the malicious SDK which have been downloaded up to nine million times, according to mobile security firm Lookout.

Legitimate ad network SDKs, such as Google's own AdMob SDK, offer app developers the libraries to distribute in-app ads and monetise free apps. The malicious ad network masquerades as a genuine one, largely but not exclusively targeting Russian-speaking users. The SDK has been installed on a range of apps including games, recipe, sex and dictionary apps, some of which are also aimed at English-speaking users.

"Because it's challenging to get malicious bad code into Google Play, the authors of Badnews created a malicious advertising network, as a front, that would push malware out to infected devices at a later date in order to pass the app scrutiny," Lookout's principal security researcher Marc Rogers noted in an alert on Friday.

In violation of Google's developer terms, the malicious ad network causes the app to impersonates news messages, including fake alerts encouraging the user to install a "critical update" to Russian social network Vkontake, Skype, and other apps. The fake update attempts to lead the user to a website to install a premium rate SMS app and also sends the user's phone number and device ID to a command server.

The attackers took their cue from shady affiliate-based marketing websites, according to Rogers. Using an ad network to distribute malware is a "significant development" in mobile malware since it overcomes the hurdles placed at the gateway to app marketplaces, Lookout said.

Sidestepping Google protection

Google launched its server-side scanner Bouncer to fend off malicious submissions in early 2012, and late last year added a client-side malware scanner to Android 4.2 Jelly Bean that could be used to vet apps installed outside the official store.

The discovery of the malicious SDK follows reports last week from Russian security firm Dr Web that malware distributors were using Android in-app advertising to spread fake antivirus, bringing an old pest from the desktop to mobile. 

The threat, which Dr Web has called Android.Fakealert, prompts users via in-app advertising users to install fake antivirus.

The fake antivirus or scareware scam was growing pest for desktop users until a major crackdown by the FBI and Russian authorities took out lead players in the industry back in 2011. 

Dr Web says the fake alert scam for Android has been around since October 2012. However, the company's CEO Boris Sharov told ZDNet that this threat was not being distributed via Google Play.

Topics: Security, Android, Google, Malware, Mobility

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Ah the old Saying

    With great power, comes great responsibility. This will only get worse.
    Dreyer Smit
  • The main problem is ...

    ... delayed code downloading. No security system whatsoever can prevent downloading of malicious software once the "host" application is running with all rights granted. That actually is the very description of malware.

    Google should add an extra layer of security so that no app can download unauthorized code.
    Google should further add so called "fake data" that can be fed to apps craving for all sorts of personal data like location, etc.

    Imagine an unaware phone user, all of sudden being confronted with a $1000 bill for calling all sorts of salacious hotlines ... actually the phone did it on a daily basis between 2am and 4am surreptitiously.
  • Unfortunately

    Unfortunately, the more control you give the user over his device, the more ability you give him to open up security holes. Personally, I appreciate the "install from other sources" option in Android, but it's a good thing that Google turns that option of by default. Perhaps rather than an on or off toggle setting, the user should be able to build a whitelist of foreign sources from which to install apps.
    • Did you not read the article?

      These were downloaded from Google Play. I could be wrong, but I don't think that's a "foreign source."
      • Read the article again

        It's a little confusing, if you don't know how Android works. The app you downloaded from the Play Store doesn't send the premium SMSes itself. It prompts you to install malicious apps from an external ad store. By default, installing apps from external sources is disabled. So a end user would first have to turn that setting on. Then look at the permissions the app requests and allow those permissions (which will include sending SMSes). And only then will the app get installed. This is essentially a variation of phishing in emails.
        • agreed

          but that does not happen in other OSes as they are controlled like ios and wp8 or etc
    • a bit further...

      also enabling the "allow foreign sources" option should auto disable after 5 minutes so that you can't accidentally install something outside google play without noticing...
      • That is an excellent suggestion!

        I hope the Google team is reading this... they should implement your idea.
  • Android malware scores nine million downloads with fake ad network SDK

    That is just embarrassing and yet so many linux users were willing to download it. So glad I chose not to go with android.
    • look ma! another troll !!!

    • Sigh.

      Really? That's the best you could come up with?

      Man, even OwlllllllllllllllllllllllNet is cleverer than you.
    • Loverock-Davidson

      Don't you feel left out of it not having a cellphone?
      But then again, they wouldn't work well in your basement do they?
  • Lets have a resonable discussion

    (unlike such trolls as owllllnet) and start by comparing android and windows. With all due respect, the problem with windows has been:

    1) with XP and prior - full administrator access given by default, due to its original single-user, non-networked user-friendly design. Antivirus would have to detect you are running a malware .exe. Apps can be installed from anywhere on the internet. Any app can do whatever it wants.

    2) with vista and beyond, non administrator by default and warnings about running exe's, which may help, but easily compromised when using a browser due to the excessive vulnerabilites going back to code from the DOS days. Much of this legacy code is still present even in windows RT.

    With android, the problem is not 'exploits' due to an insecure design. Android is a "proper OS" design with security in mind from the start. The "malware problem" is Android consiously chosing to walk the line between pure security and convienence/openness. For example there are no "drive by" malware pwn-the-system types of problems as plagues windows, due to an inherent sandboxing provided by the *nix OS design.

    Google could one day simply choose to run the play store just like apple, more carefully vetting each app, rejecting a huge portion of them, and disallow sideloading of apks. If this was done, android would be as "malware free" as iOS. They would be critisized as being a walled garden but would then have a great reputation for being malware free like apple. However, most people would be upset and not be interested in android anymore.
    • "... If this was done, android would be as "malware free" as iOS"

      Not quite. There's still the problem with the carriers failing to promptly push Android security updates to their users:

      "ACLU Issues Wake-Up Call To Android Service Providers

      That's right. The ACLU has formally complained to the U.S. FTC that the carriers, AT&T, Verizon, Sprint, and T-Mobile, are too slow to issue patches that fix Android security vulnerabilities to their customers.

      Of course, one could simply choose to purchase an unlocked Nexus device from Google. Because Google is actually quick to generate Android security patches and unlocked Nexus devices get updated promptly.
      Rabid Howler Monkey
      • yes the

        carrier problem could potentially be an additional issue vs apple, but to be honest, I have owned a nexus 7, galaxy nexus, and now nexus 4 and have never seen any emergency 'out of band' or 'patch tuesday' type security patches. You know these because the phone has to reboot, and goes to the bootloader and flashes the OS patch. I have only seen this happen for major/minor android version releases.
    • There's a simple, obvious flaw with that analysis...

      Windows and IE tend to be one of the last OSes cracked at events like Pwn2Own.

      So when you suggest that the problem isn't solved because someone might be "easily compromised when using a browser due to the excessive vulnerabilites going back to code from the DOS days" my question is - which browser are you talking about? Win7 and Win8 are IE9 and IE10 based and those both have gotten pretty good scores for security.

      Sidenote: It's interesting that you defend Android (sort of) by comparing it to Windows in a rather specious way (Windows XP? Really? That's a 12 year old OS that's at EOL) and then Win7 and Win8 but throwing in an unspecified 'browser' as the weakness (hey, at least you're implicitly suggesting Windows Vista and later aren't the problem anymore)... then suddenly you jump to iOS as the gold standard - conveniently bypassing MacOS X, which has seen an upswing in malware lately.

      In the end, what no one's asked is 'how much damage did this actually do?'
    • ??

      comparing with windows ?
      try with windows phone 8
  • Permissions

    I'm not as techie as most who post here, but I intuitively know that all the permissions most apps require for use are extremely intrusive. I don't understand why they need this information, but I can certainly understand why they WANT this data. It's all about building a profile for the user that is valuable to advertising companies, and this translates to the almighty dollar. Is there nothing else that drives commerce other than the relentless pursuit of the last possible nickel that can be wrung from the consumer? Yes, business is all about making money, but do they need to strip the consumer naked in order to accomplish their goal? I sometimes think marketing companies know more than my husband does about me after 32 years of marriage!
    • I belive google is the least greedy and unethical

      There is such a thing as honest captalism and they are as close to it as anyone for a big corporation. Nothing is perfect - its called reality.
      What about google is just about the buck? Larry and sergey are already billionaires. They just like doing the work that they do.
      Yes the same could be said of steve ballmer but he is driven by the numbers and that sort of competition, like winning, etc.
      MS has a lot more old-timers who are just desparate to hang on to their jobs and will do anything like sabotage the other division's products for job security.

      As far as stripping the consumer naked, an example: the nexus 4 phone until recently had the overall best performance of any phone on the market, nearly the best screen and gorgeous all glass construction. No contract cost: $300.
      iPhone - $600 and up. Samsung S3 - $600, note 2 - $650, Nokia lumias - $600ish.

      I know many will reply with somethign like "yes, but that's because google spies and does various evil things with your info." No. They do exactly what they say they do. Give relevant non-intrusive advertising based on your search queries and gmail text. There is no hidden "spying" (whatever that even means here) going on.

      I'll tell you where there is - on Bing and zillions of other sites. You know why - because they don't use https and therefore true spies can be monitoring your pipes.