Mobile security researchers at Lookout have discovered BadNews malware in 32 apps across four different developer accounts on Google Play.
According to Google Play statistics, the combined affected apps have been downloaded between 2 – 9 million times.
“BadNews has the ability to send fake news messages, prompt users to install applications and sends sensitive information such as the phone number and device ID to its Command and Control (C&C) server. BadNews uses its ability to display fake news messages in order to push out other types of monetization malware and promote affiliated apps,” said Marc Rogers, Lookout’s principal security researcher.
Google has now removed the affected apps after Lookout raised the alarm. The developer accounts have also been suspended.
Some of the English-language titles include Collision, Star Knife and Stupid Birds.
"It is not clear whether some or all of these apps were launched with the explicit intent of hosting BadNews or whether legitimate developers were duped into installing a malicious advertising network," added Rogers.