Dozens of Android applications distributed via the Google Play store have exposed up to 36.5 million users to an auto-clicking adware, Check Point security researchers reveal.
Dubbed Judy, the adware was initially discovered on 41 applications developed by a Korean company, some of which have been in the app marketplace for years. All of these programs were updated recently and had between 4.5 million and 18.5 million downloads when the security researchers found the malware.
In a second campaign, the same piece of adware was found within applications from other developers as well, also with a large number of total downloads, between 4 and 18 million (some apps had over 1 million downloads each). Potentially impacting over 36 million users to Judy, the two campaigns might have borrowed code from one another, the security researchers explain.
The malicious code managed to stay hidden in the Google Play store for a long time, as the oldest app in the second campaign was last updated in April 2016. All of the offending applications have been removed from the application storefront after Google was notified on the issue.
The crooks behind these campaigns managed to bypass Google Play’s protection (known as Bouncer), by creating a seemingly benign bridgehead app that can establish connection to the victim’s device. After the user downloads it from Google Play, the app silently registers receivers to establish a connection with the command and control (C&C) server.
Once the connection has been established, the server delivers the malicious payload, which includes JavaScript code, a user-agent string and URLs controlled by the malware author. Even after infecting the device, the adware relies on communication with the C&C server to conduct its nefarious operations.
“The malware opens the URLs using the user agent that imitates a PC browser in a hidden webpage and receives a redirection to another website. Once the targeted website is launched, the malware uses the JavaScript code to locate and click on banners from the Google ads infrastructure,” Check Point explains.
The discovered malicious apps were developed by a Korean company named Kiniwini, which also develops apps for iOS and which is registered on Google Play as ENISTUDIO corp. Despite being created by a company, the offending apps engage into illicit activities by using victims’ mobile devices to generate fraudulent clicks and revenue for operators.
Furthermore, Judy was also found to display a large amount of advertisements, some of which “leave users with no option but clicking on the ad itself.”
Despite users noticing the nefarious behavior, most of the applications have positive ratings, but it’s not unusual for malicious apps to have high reputation, as cybercriminals can easily hide the app’s real purpose or manipulate users into leaving positive ratings. Examples of such behavior would include DressCode or the recently observed fake System Update app.
Related: Thousands of Android Devices Infected by Marcher Trojan