This Family of Data-Stealing Android Malware Got Downloaded from Google Play Millions of Times

Everyone knows there's malware on Android, but for the most part it just hides out in the seedier back alleys of the OS. You're only likely to run into it if you start side-loading pirated apps, or frequenting sketchy unofficial app stores. But a newly uncovered family of malware—fittingly called "BadNews"—was just chillin' in Google Play, and has been downloaded somewhere between two and nine million times. In other words, a whole lot.

Uncovered by Lookout Mobile Security, BadNews likes to snag the phone numbers and serial numbers of the devices its on, sometimes pushing downloads of a straight-up trojan called AlphaSMS. The malware wasn't in the apps originally however, it snuck in later—seemingly through a malicious "ad network"—which was how the hackers managed to evade Google Play's anti-malware scrutiny for so long. Once Lookout pointed all this out to Google, the apps were taken down. Fortunately none of them were even remotely reputable to begin with and half were in Russian.

Of course it's disheartening to know that this kind of stuff made it into Play in the first place, but hopefully that trick will only work once. The majority of the store—espeically apps that you've actually heard of—are safe thanks to Google's watchful eye. But just keep in mind that if something there looks sketchy, it might be. [The Lookout Blog via Ars Technica]