Google Play has removed 32 apps infected with a new form of malware known as ‘BadNews’. Between two to nine million users are thought to have downloaded the affected English and Russian-language apps, which range from games to recipe generators.
Google has now removed the affected apps after mobile security researchers at Lookout raised the alarm. They were available through four separate developer accounts, that have also been suspended.
In a blog post, Lookout released a list of apps it found containing the malware, which include English-language titles Collision, Star Knife and Stupid Birds.
BadNews lay dormant in the apps for weeks and disguised itself as an advertising network. Through this, it promoted other infected apps and tricked users with false updates for either Skype or Russian social network Vkontakte. This eventually led to the concealed use of AlphaSMS, a malicious programme which sends premium rate texts to numbers in Russia, Ukraine, Belarus, Armenia and Kazakhstan without the user’s knowledge or consent.
“It is not clear whether some or all of these apps were launched with the explicit intent of hosting BadNews or whether legitimate developers were duped into installing a malicious advertising network,” said Marc Rogers, Lookout’s principal security researcher.
Google ramped up its efforts against malware with scanning software Bouncer after previous attacks on Play Store apps, but has not officially commented on the most recent security bypass.