Must Read: Google Glass jailbreak: Let the evil commence

Topic: Security

Android malware scores nine million downloads with fake ad network SDK

Summary: Attackers have found a side route to Android users that follow the good practice of only downloading apps from Google’s official store.

Liam Tung

By Liam Tung |

Read this

Are Android smartphones finally poised to conquer the enterprise?

Are Android smartphones finally poised to conquer the enterprise?

Makers of Android malware have developed an ad network SDK that pushes malicious software through seemingly innocuous apps.

Google has suspended several accounts associated with 32 apps on Google Play containing the malicious SDK which have been downloaded up to nine million times, according to mobile security firm Lookout.

Legitimate ad network SDKs, such as Google's own AdMob SDK, offer app developers the libraries to distribute in-app ads and monetise free apps. The malicious ad network masquerades as a genuine one, largely but not exclusively targeting Russian-speaking users. The SDK has been installed on a range of apps including games, recipe, sex and dictionary apps, some of which are also aimed at English-speaking users.

"Because it's challenging to get malicious bad code into Google Play, the authors of Badnews created a malicious advertising network, as a front, that would push malware out to infected devices at a later date in order to pass the app scrutiny," Lookout's principal security researcher Marc Rogers noted in an alert on Friday.

In violation of Google's developer terms, the malicious ad network causes the app to impersonates news messages, including fake alerts encouraging the user to install a "critical update" to Russian social network Vkontake, Skype, and other apps. The fake update attempts to lead the user to a website to install a premium rate SMS app and also sends the user's phone number and device ID to a command server.

The attackers took their cue from shady affiliate-based marketing websites, according to Rogers. Using an ad network to distribute malware is a "significant development" in mobile malware since it overcomes the hurdles placed at the gateway to app marketplaces, Lookout said.

Sidestepping Google protection

Google launched its server-side scanner Bouncer to fend off malicious submissions in early 2012, and late last year added a client-side malware scanner to Android 4.2 Jelly Bean that could be used to vet apps installed outside the official store.

The discovery of the malicious SDK follows reports last week from Russian security firm Dr Web that malware distributors were using Android in-app advertising to spread fake antivirus, bringing an old pest from the desktop to mobile. 

The threat, which Dr Web has called Android.Fakealert, prompts users via in-app advertising users to install fake antivirus.

The fake antivirus or scareware scam was growing pest for desktop users until a major crackdown by the FBI and Russian authorities took out lead players in the industry back in 2011. 

Dr Web says the fake alert scam for Android has been around since October 2012. However, the company's CEO Boris Sharov told ZDNet that this threat was not being distributed via Google Play.

Topics: Security, Android, Google, Malware, Mobility

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several Australian publications, including the Sydney Morning Herald online. He's interested primarily in how information technology impacts the way business and people communicate, trade, and consume.

Contact

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

29 comments
Log in or register to join the discussion

  • Ah the old Saying

    With great power, comes great responsibility. This will only get worse.
    Dreyer Smit
    Reply Vote

  • Google itself is malware

    Google is the pirate and malware mother ship. Don't use software from advertising firm.
    OwlllllNet
    Reply 5 Votes

    • So funny…….

      Yea, you have a lot of credibility

      OwlNetm OwllNet, OwlllNetm OwllllnNet, Owllll1Net,
      OwlllllNet

      Been so many most likely missed one….
      LOL!…….. LOL!
      daikon
      Reply 6 Votes

    • troll

      ...
      ukjb
      Reply 4 Votes

    • get lost -will you.

      you are not even worth bothering arguing with.
      DrWong
      Reply 5 Votes

  • The main problem is ...

    ... delayed code downloading. No security system whatsoever can prevent downloading of malicious software once the "host" application is running with all rights granted. That actually is the very description of malware.

    Google should add an extra layer of security so that no app can download unauthorized code.
    Google should further add so called "fake data" that can be fed to apps craving for all sorts of personal data like location, etc.

    Imagine an unaware phone user, all of sudden being confronted with a $1000 bill for calling all sorts of salacious hotlines ... actually the phone did it on a daily basis between 2am and 4am surreptitiously.
    EnticingHavoc
    Reply Vote

  • Unfortunately

    Unfortunately, the more control you give the user over his device, the more ability you give him to open up security holes. Personally, I appreciate the "install from other sources" option in Android, but it's a good thing that Google turns that option of by default. Perhaps rather than an on or off toggle setting, the user should be able to build a whitelist of foreign sources from which to install apps.
    dsf3g
    Reply 2 Votes

    • Did you not read the article?

      These were downloaded from Google Play. I could be wrong, but I don't think that's a "foreign source."
      msalzberg
      Reply 3 Votes

      • Read the article again

        It's a little confusing, if you don't know how Android works. The app you downloaded from the Play Store doesn't send the premium SMSes itself. It prompts you to install malicious apps from an external ad store. By default, installing apps from external sources is disabled. So a end user would first have to turn that setting on. Then look at the permissions the app requests and allow those permissions (which will include sending SMSes). And only then will the app get installed. This is essentially a variation of phishing in emails.
        os2baba
        Reply 4 Votes

        • agreed

          but that does not happen in other OSes as they are controlled like ios and wp8 or etc
          santosh0047
          Reply Vote

    • a bit further...

      also enabling the "allow foreign sources" option should auto disable after 5 minutes so that you can't accidentally install something outside google play without noticing...
      ukjb
      Reply 1 Vote

      • That is an excellent suggestion!

        I hope the Google team is reading this... they should implement your idea.
        TheWerewolf
        Reply Vote

  • Android malware scores nine million downloads with fake ad network SDK

    That is just embarrassing and yet so many linux users were willing to download it. So glad I chose not to go with android.
    Loverock-Davidson
    Reply 4 Votes

    • look ma! another troll !!!

      ...
      ukjb
      Reply 3 Votes

    • Sigh.

      Really? That's the best you could come up with?

      Man, even OwlllllllllllllllllllllllNet is cleverer than you.
      TheWerewolf
      Reply Vote

    • Loverock-Davidson

      Don't you feel left out of it not having a cellphone?
      But then again, they wouldn't work well in your basement do they?
      Agnostic_OS
      Reply Vote

  • Lets have a resonable discussion

    (unlike such trolls as owllllnet) and start by comparing android and windows. With all due respect, the problem with windows has been:

    1) with XP and prior - full administrator access given by default, due to its original single-user, non-networked user-friendly design. Antivirus would have to detect you are running a malware .exe. Apps can be installed from anywhere on the internet. Any app can do whatever it wants.

    2) with vista and beyond, non administrator by default and warnings about running exe's, which may help, but easily compromised when using a browser due to the excessive vulnerabilites going back to code from the DOS days. Much of this legacy code is still present even in windows RT.

    With android, the problem is not 'exploits' due to an insecure design. Android is a "proper OS" design with security in mind from the start. The "malware problem" is Android consiously chosing to walk the line between pure security and convienence/openness. For example there are no "drive by" malware pwn-the-system types of problems as plagues windows, due to an inherent sandboxing provided by the *nix OS design.

    Google could one day simply choose to run the play store just like apple, more carefully vetting each app, rejecting a huge portion of them, and disallow sideloading of apks. If this was done, android would be as "malware free" as iOS. They would be critisized as being a walled garden but would then have a great reputation for being malware free like apple. However, most people would be upset and not be interested in android anymore.
    DrWong
    Reply 2 Votes

    • "... If this was done, android would be as "malware free" as iOS"

      Not quite. There's still the problem with the carriers failing to promptly push Android security updates to their users:

      "ACLU Issues Wake-Up Call To Android Service Providers
      http://www.darkreading.com/privacy/aclu-issues-wake-up-call-to-android-serv/240153210

      That's right. The ACLU has formally complained to the U.S. FTC that the carriers, AT&T, Verizon, Sprint, and T-Mobile, are too slow to issue patches that fix Android security vulnerabilities to their customers.

      Of course, one could simply choose to purchase an unlocked Nexus device from Google. Because Google is actually quick to generate Android security patches and unlocked Nexus devices get updated promptly.
      Rabid Howler Monkey
      Reply 1 Vote

      • yes the

        carrier problem could potentially be an additional issue vs apple, but to be honest, I have owned a nexus 7, galaxy nexus, and now nexus 4 and have never seen any emergency 'out of band' or 'patch tuesday' type security patches. You know these because the phone has to reboot, and goes to the bootloader and flashes the OS patch. I have only seen this happen for major/minor android version releases.
        DrWong
        Reply Vote
CNET Join | Log In | Privacy | Cookies Close