"We've observed the app(lication) and we've reviewed all the logs we have access to," he said in that post. "We haven't seen a single instance of abusive SMS applications being downloaded as a result of BadNews."
SecurityLedger contacted Lookout for a reaction. The vendor's founder and CTO, Kevin Mahaffey, said "We're open to all possibilities. But, having observed the behavior of this ad network at length and analyzed its code, we don't see any possibilities other than this being a malicious ad network."
According to Mahaffey, Lookout analyzed the underlying code that BadNews used to serve ads to mobile devices. "That analysis revealed that BadNews was substantially similar to another malicious ad network, which Lookout calls RUPaidmarket," according to SecurityLedger. Mahaffey said, "There is substantial code re-use. That indicates that the same person that wrote the RUPaidmarket malware is working on BadNews, as well."
Mahaffey also said that the "organization behind BadNews only pushes malicious ads for short periods of time as little as five minutes a day. Intermittent scanning of the ad network might easily miss such activity, but any company that observed the network over time would catch it."
For the malware affiliates, the burgeoning social networks, coupled with lax end-user security awareness, are a key distribution channel for links to the disguised malware. During Operation Dragon Lady, Lookout reviewed 250,000 unique Twitter handles. Of those, 50,000 - one in five - linked directly to toll fraud campaigns created by malware affiliates, Lookout says.
According to Lookout, SMS short codes used in these apps are publicly registered "so a company is verifying [that] they will charge for Premium SMS." When a user sends a Premium SMS text, their phone bill is charged. Lookout says it has evidence that some affiliates are making up to $12,000 per month from such toll fraud.
The victim of these schemes is "usually a Russian speaking Android user looking for free apps, games, MP3s or pornography," according to Lookout's statement. "The victim may have been using search engine or click through links in Tweets or mobile ads, then unwittingly download the malicious app which secretly adds a premium SMS charge to their phone bill."
In a perverse way, that profile could seem like good news because it suggests the damage is limited to Android users in Russia. Yet the model being pioneered by these Malware Headquarters lends itself easily to globalization, via a kind of criminal franchising. The headquarters operations are expanding, constantly looking for new "hires" with new and emerging skills, according to Lookout, in order to manage and maximize profits.
Sign up for CIO Asia eNewsletters.