Monday, April 22, 2013

Android BadNews


      After checking out an Android malware sample listed by Lookout as Trojan:Android/BadNews, I found a lot of contention in the security community as to whether this is a Trojan or just adware gone bad.  The supposed command and control server at hxxp://androways.com is linked to the Russian Android adware company hxxp://mobidisplay.net. It looks like this ad company sends downloads to the installed Android device and one of them happened to be linked to some Android spyware. Check out the Virus Total link below to see that some Anti Virus list this as adware while others list this as a Trojan.  Either way these where on the Google Play store and could have been downloaded without the need to go to alternate markets.  The sample I studied specifically can be found here: hxxp://files2.freesoft.ru/rep/711324/live.photo.sharonstone.apk.

This is a good example for why it is necessary to have some sort of Anti Virus or analysis software on your Android device.

The original Post by Lookout here:
https://blog.lookout.com/blog/2013/04/19/the-bearer-of-badnews-malware-google-play/

Two Samples can be found here:
http://contagiominidump.blogspot.com/2013/04/badnews-android-adwaremalware-network.html

More samples can still be found in the wild here:
hxxp://freesoft.ru/?author=18604  (Russian Alternate market -- Malware Links)

Virus Total:
https://www.virustotal.com/en/file/9134ba9ce3e2a343de5abb986f04fa925a7032b5a842757d562afe3de0644a40/analysis/1366644359/


Stay safe out there
-R`/4N