Lookout researchers recently found the new BadNews Android malware in 32 apps from four different developers on Google Play, including dictionary apps and popular games.
According to Lookout, the infected apps were downloaded between 2 million and 9 million times before they were removed by Google. The researchers says that's the highest malware distribution they've ever seen.
While BadNews poses as an ad network, it's capable of displaying fake news messages to push other malware (including the AlphaSMS premium rate SMS malware) and promote affiliated apps, and of uploading the user's phone number and device ID to command and control servers in Russia, Ukraine and Germany. The malware polls its command and control server every four hours for new instructions.
What's particularly notable about BadNews, the researchers say, is the fact that it has achieved very wide distribution by using a server to delay its behavior. "If an app has not yet engaged in malicious behavior, a typical app vetting process would of course conclude that it was safe because the malicious behavior has not yet occurred," writes Lookout's Marc Rogers.
As a result, Rogers notes, it's not clear whether the app developers were aware that their offerings were delivering malware, or if they were simply duped into installing what they thought was a benign ad network.