Security researchers have detected about 32 separate applications on Google Play app store that were affected by a bug called BadNews.
According to researchers at Mobile security company Lookout, the bug affected apps have been downloaded for about 2,000,000 – 9,000,000 times.
Further, Google has removed all the affected apps and deleted accounts of the specific developers pending further investigation.
Lookout principal security researcher Marc Rogers said the bug masquerades as an innocent, if somewhat aggressive advertising network.
"This is one of the first times that we’ve seen a malicious distribution network clearly posing as an ad network," Rogers said.
"Because it’s challenging to get malicious bad code into Google play, the authors of Badnews created a malicious advertising network, as a front, that would push malware out to infected devices at a later date in order to pass the app scrutiny."
Additionally, researchers allege that the bug can deliver fake news messages, trick users to install applications such as AlphaSMS and send sensitive data including the phone number and device ID to its Command and Control (C&C) server.
Further, BadNews will use its ability to show fake news messages in a bid to deliver other types of monetisation malware and encourage affiliated apps.
About half of the 32 apps infected with BadNews are Russian and the AlphaSMS installed by it is tuned to use premium rate numbers in Russia, Ukraine, Belarus, Armenia and Kazakhstan.
Lookout advises developers be careful to any third-party libraries they incorporate in their applications as insecure libraries can risk their users and reputation.
