Judy Malware May Have Affected 36.5 Million Android Devices

Researchers have discovered what could possibly be the “largest malware campaign found on Google Play”, a Korean auto-licking adware dubbed “Judy”.

While the newest wave of malware doesn’t extort victims via ransomware or credentials theft, it does propagate an auto-clicking adware to generate significant amounts of faux ‘clicks’ on advertisements to monetize its developers.

Researchers at Check Point have claimed that the malware ridden apps could have reached a mammoth spread between 4.5 million and 18.5 million downloads, according to data from Google Play.

The malicious apps have been available on Google Play for multiple years, according to Check Point, who further revealed that they were all updated recently. Still, the actual spread of the malware is a mystery, as researchers are yet to ascertain how long the malicious code has existed inside the apps.

Judy, like other successfully infiltrating Google Play malware before it, communicates with its Command and Control (C&C) server for its operation.

Researchers revealed the Judy’s exploit mechanism while operating on victims’ devices.

To bypass Bouncer, Google Play’s protection, the hackers create a seemingly benign bridgehead app, meant to establish connection to the victim’s device, and insert it into the app store. Once a user downloads a malicious app, it silently registers receivers which establish a connection with the C&C server. The server replies with the actual malicious payload, which includes JavaScript code, a user-agent string and URLs controlled by the malware author.

The malware then opens the URLs via the user agent to imitate a PC browser in a hidden webpage, which receives a redirect request to another website. When the website launches, the malware uses the JavaScript code embedded within to click on Google ads banners. The malware author receives payments from the developer of the website with the torrent of illegitimate clicks and traffic.

The same malware has been discovered in other applications developed separately by other devs. “The connection between the two campaigns remains unclear, and it is possible that one borrowed code from the other, knowingly or unknowingly,” researchers wrote.

The second campaign’s oldest app was last updated in April 2016. In other words, the malicious code has been available on the Play Store, undetected, for over a year. The second campaign’s download count of infected apps is anywhere between 4 and 18 million. Which leaves up to 36.5 million users possibly infected by the adware malware.

Upon learning of the threat from the researchers, Google has since removed the malicious apps from the Play Store.

Image credit: Pixabay.