Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Judy Adware Infects Dozens of Google Play Apps

Dozens of Android applications distributed via the Google Play store have exposed up to 36.5 million users to an auto-clicking adware, Check Point security researchers reveal.

Dozens of Android applications distributed via the Google Play store have exposed up to 36.5 million users to an auto-clicking adware, Check Point security researchers reveal.

Dubbed Judy, the adware was initially discovered on 41 applications developed by a Korean company, some of which have been in the app marketplace for years. All of these programs were updated recently and had between 4.5 million and 18.5 million downloads when the security researchers found the malware.

In a second campaign, the same piece of adware was found within applications from other developers as well, also with a large number of total downloads, between 4 and 18 million (some apps had over 1 million downloads each). Potentially impacting over 36 million users to Judy, the two campaigns might have borrowed code from one another, the security researchers explain.

The malicious code managed to stay hidden in the Google Play store for a long time, as the oldest app in the second campaign was last updated in April 2016. All of the offending applications have been removed from the application storefront after Google was notified on the issue.

The crooks behind these campaigns managed to bypass Google Play’s protection (known as Bouncer), by creating a seemingly benign bridgehead app that can establish connection to the victim’s device. After the user downloads it from Google Play, the app silently registers receivers to establish a connection with the command and control (C&C) server.

Once the connection has been established, the server delivers the malicious payload, which includes JavaScript code, a user-agent string and URLs controlled by the malware author. Even after infecting the device, the adware relies on communication with the C&C server to conduct its nefarious operations.

“The malware opens the URLs using the user agent that imitates a PC browser in a hidden webpage and receives a redirection to another website. Once the targeted website is launched, the malware uses the JavaScript code to locate and click on banners from the Google ads infrastructure,” Check Point explains.

The discovered malicious apps were developed by a Korean company named Kiniwini, which also develops apps for iOS and which is registered on Google Play as ENISTUDIO corp. Despite being created by a company, the offending apps engage into illicit activities by using victims’ mobile devices to generate fraudulent clicks and revenue for operators.

Advertisement. Scroll to continue reading.

Furthermore, Judy was also found to display a large amount of advertisements, some of which “leave users with no option but clicking on the ad itself.”

Despite users noticing the nefarious behavior, most of the applications have positive ratings, but it’s not unusual for malicious apps to have high reputation, as cybercriminals can easily hide the app’s real purpose or manipulate users into leaving positive ratings. Examples of such behavior would include DressCode or the recently observed fake System Update app.

Related: Thousands of Android Devices Infected by Marcher Trojan

Related: Fake Netflix App Takes Control of Android Devices

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Fraud & Identity Theft

A team of researchers has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. The vulnerabilities...

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.