A MALWARE FAMILY dubbed Badnews has been identified by Lookout Security and found lurking in Google Play developer accounts.
According to a blog post advising that Lookout Security customers are covered for the risk, the Badnews family resides in 32 apps that come from four Google Play developer accounts.
Lookout Security said that it told Google about the malware and that the search firm has shut down the accounts, but we are trying to confirm this with Google.
The security firm reckons that the applications, which are designed to look innocent, could have been downloaded anywhere between two million to nine million times.
"Badnews masquerades as an innocent, if somewhat aggressive advertising network. However, it has the ability to send fake news messages, prompt users to install applications and sends sensitive information such as the phone number and device ID to its Command and Control (C&C) server," the firm said in a blog post.
"Badnews uses its ability to display fake news messages in order to push out other types of monetization malware and promote affiliated apps."
About 50 percent of the identified applications, and they all look and sound a bit weird - Stupid Birds, anyone? - seem to be aimed at Russian speaking app users, and the malware distributed by Badnews includes AlphaSMS, a high cost money ripping off service popular in that country.
"Badnews is a significant development in the evolution of mobile malware because it has achieved very wide distribution by using a server to delay its behavior," added the blog post.
"If an app has not yet engaged in malicious behavior, a typical app vetting process would of course conclude that it was safe because the malicious behavior has not yet occurred." µ