The family of “Bad News” malware in Google Play downloaded up to 9 million times Apps steal sensitive data, push SMS app that racks up charges to pricey service.

Security researchers have unearthed a family of malware for Android-based smartphones that's been downloaded as many as 9 million times from Google Play, the official distribution platform hosted on Google servers.

BadNews, as the library of malicious code has been dubbed, was folded in to at least 32 applications offered by four different developer accounts, according to a blog post published Friday by Android app provider Lookout Mobile Security. Handsets that run the poisoned apps connect to a rogue server every four hours and report several pieces of sensitive information, including the device phone number and its unique serial number, known as an International Mobile Station Equipment Identity. The command and control servers, which were still operational as of Friday, also force some phones to display prompts to install AlphaSMS, a trojan that racks up charges by sending text messages to pricey services.

The people behind the campaign were able to sneak BadNews past Google defenses by adding the malware library to innocuous apps after they had already been submitted to Google Play. That gave the appearance of trustworthiness to measures such Bouncer, the cloud-based service that scours Play for abusive apps. It was only later that the apps were updated to carry out the attacks. Figures provided by Google Play showed the targeted apps had been downloaded from 2 million to 9 million times. It's unclear how many of the downloads involved apps after they had been updated to include BadNews.

"You can't even say Google was at fault in this because Google very clearly scrutinized all these apps when they want in," Marc Rogers, principal security researcher for Lookout, told Ars. "But these guys were cunning enough to sit there for a couple of months doing absolutely nothing and then they pushed out the malware."

Rogers said it's not clear exactly how BadNews got folded in to the apps, which contained a mix of games, dictionaries, wall papers, and other programs aimed at English- and Russian-speaking users. At least some of them were spawned by the people controlling the malware. Rogers held out the possibility that legitimate developers of other apps may have been duped into adding the malicious library to their code bases.

Malicious programs have been an unfortunate feature of Google Play since it debuted as the Android Market in 2008. Meanwhile there have been virtually no widespread reports of malicious titles infiltrating Apple's competing App Store. As was the case with BadNews, Google promptly removes malicious apps once employees become aware they're being hosted for download on the company's servers. Google representatives declined to say if they have any plans in place to stem the tide and also declined to comment on the record about the Lookout report.

As Rogers said, the persistent problem of malware available in Google Play isn't easy to solve, and the success of BadNews only raises the bar.

"This is a wakeup call for us in the industry to say: 'Bad guys are smart as well and they'll take a look at the security models we put in place and they'll find weaknesses in them,'" he said. "That's exactly what they've done here."