Makers of Android malware have developed an ad network SDK that pushes malicious software through seemingly innocuous apps.
Google has suspended several accounts associated with 32 apps on Google Play containing the malicious SDK which have been downloaded up to nine million times, according to mobile security firm Lookout.
Legitimate ad network SDKs, such as Google's own AdMob SDK, offer app developers the libraries to distribute in-app ads and monetise free apps. The malicious ad network masquerades as a genuine one, largely but not exclusively targeting Russian-speaking users. The SDK has been installed on a range of apps including games, recipe, sex and dictionary apps, some of which are also aimed at English-speaking users.
"Because it's challenging to get malicious bad code into Google Play, the authors of Badnews created a malicious advertising network, as a front, that would push malware out to infected devices at a later date in order to pass the app scrutiny," Lookout's principal security researcher Marc Rogers noted in an alert on Friday.
In violation of Google's developer terms, the malicious ad network causes the app to impersonates news messages, including fake alerts encouraging the user to install a "critical update" to Russian social network Vkontake, Skype, and other apps. The fake update attempts to lead the user to a website to install a premium rate SMS app and also sends the user's phone number and device ID to a command server.
The attackers took their cue from shady affiliate-based marketing websites, according to Rogers. Using an ad network to distribute malware is a "significant development" in mobile malware since it overcomes the hurdles placed at the gateway to app marketplaces, Lookout said.
Sidestepping Google protection
Google launched its server-side scanner Bouncer to fend off malicious submissions in early 2012, and late last year added a client-side malware scanner to Android 4.2 Jelly Bean that could be used to vet apps installed outside the official store.
The discovery of the malicious SDK follows reports last week from Russian security firm Dr Web that malware distributors were using Android in-app advertising to spread fake antivirus, bringing an old pest from the desktop to mobile.
The threat, which Dr Web has called Android.Fakealert, prompts users via in-app advertising users to install fake antivirus.
The fake antivirus or scareware scam was growing pest for desktop users until a major crackdown by the FBI and Russian authorities took out lead players in the industry back in 2011.
Dr Web says the fake alert scam for Android has been around since October 2012. However, the company's CEO Boris Sharov told ZDNet that this threat was not being distributed via Google Play.