Six weeks ago, stories started to appear about malware called “Badnews” which was supposed to be like a Game of Thrones wedding for Android.
BadNews was supposed to be a new kind of mobile malware for the Android platform that harnesses mobile ad networks to push out malicious links, harvest information on compromised devices.
But according to Adrian Ludwig, who is a senior member of Google’s Android security team, the malware was not really all that bad.
Ludwig rubbished reports linking BadNews to sites that installed malicious programs. In fact Google had found no evidence that the BadNews was linked to SMS “toll fraud” malware.
Ludwig said that Google had watched the app, reviewed all the logs and there was not a single instance of abusive SMS applications being downloaded as a result of BadNews.
Google had done all the right things when BadNews was revealed. It pulled 32 applications from its Google Play store on 20 April. The suspensions followed reports about the malicious ad network by the mobile security firm Lookout Security on 19 April.
Lookout identified the 32 applications, and linked back to four developer accounts on Google Play. It touted BadNews as being one of the first examples of malicious ad networks in the mobile space. It thought that an evil ad network was the next logical step to pushing malware to Android users, after Google began scanning applications on Google Play using its Bouncer application testing technology.
It was thought that BadNews operates like a legitimate ad network for a period of time after it is installed, but eventually begins pushing malicious ads out to Android users who have downloaded and installed a mobile app that is bundled with the Badnews software.
Ludwig said Google never found evidence of malicious activity of this at all. Applications using the software had been downloaded by a “significant number of people” and he disputed links to SMS trojans or malicious web sites, specifically.
Google did not pull the apps because of malware, but because they violated Google’s Android developer agreement.
A spokesperson for Lookout Security told Security Ledger that the organisation behind Badnews only pushes malicious ads for five minutes a day. Intermittent scanning of the ad network might easily miss such activity, but any company that observed the network over time would catch it, Mahaffey said.