Dozens of Android applications distributed via the Google Play store have exposed up to 36.5 million users to an auto-clicking adware, Check Point security researchers reveal.
Dubbed Judy, the adware was initially discovered on 41 applications developed by a Korean company, some of which have been in the app marketplace for years. All of these programs were updated recently and had between 4.5 million and 18.5 million downloads when the security researchers found the malware.
In a second campaign, the same piece of adware was found within applications from other developers as well, also with a large number of total downloads, between 4 and 18 million (some apps had over 1 million downloads each). Potentially impacting over 36 million users to Judy, the two campaigns might have borrowed code from one another, the security researchers explain.
The malicious code managed to stay hidden in the Google Play store for a long time, as the oldest app in the second campaign was last updated in April 2016. All of the offending applications have been removed from the application storefront after Google was notified on the issue.
The crooks behind these campaigns managed to bypass Google Play’s protection (known as Bouncer), by creating a seemingly benign bridgehead app that can establish connection to the victim’s device. After the user downloads it from Google Play, the app silently registers receivers to establish a connection with the command and control (C&C) server.
The discovered malicious apps were developed by a Korean company named Kiniwini, which also develops apps for iOS and which is registered on Google Play as ENISTUDIO corp. Despite being created by a company, the offending apps engage into illicit activities by using victims’ mobile devices to generate fraudulent clicks and revenue for operators.
Furthermore, Judy was also found to display a large amount of advertisements, some of which “leave users with no option but clicking on the ad itself.”
Despite users noticing the nefarious behavior, most of the applications have positive ratings, but it’s not unusual for malicious apps to have high reputation, as cybercriminals can easily hide the app’s real purpose or manipulate users into leaving positive ratings. Examples of such behavior would include DressCode or the recently observed fake System Update app.