New malware hits millions of Android devices, infected apps removed by Google

Up to 36.5 million Android devices may have been infected by a malware found in over 41 apps on Google Play Store that generates fake clicks for adverts, say security researchers.

The malware, named “Judy”, was discovered by a security research firm Checkpoint in over 41 apps available on Play Store, suspiciously developed by a Korean company Kinwini and published under the moniker ENISTUDIO Corp.

“The malware uses infected devices to generate large amounts of fraudulent click on advertisement, generating revenues for the perpetrators behind it,” Checkpoint said in a blogpost.

According to Checkpoint, it is possible that developers may have borrowed the malicious code from others, knowingly or unknowingly, which caused spike in number of phones infected by the malware.

"It is unclear how long the malicious code existed inside the apps, hence the actual spread of the malware remains unknown," Check Point says, but those download numbers mean "the total spread of the malware may have reached between 8.5 and 36.5 million users."

The research firm noted that the malicious code was present hidden in an app since April 2016, undetected by Google.

Google “swiftly” removed the infected apps from Play Store after being notified about their existence, but not before, they “reached an astonishing spread between 4.5 million and 18.5 million downloads.”

“Some of the malware apps we discovered resided on Google Play for several years, but all were recently updated,” Checkpoint added.

What is Judy and how does it work?

The malware “Judy” is an auto-clicking adware which help companies boost their revenues. Hacker designed the malware in such a way that it bypasses Google Play Store’s protection. It “seemingly benign bridgehead app, meant to establish connection to the victim’s device, and insert it into the app store.”

Checkpoint explained: “Once a user downloads a malicious app, it silently registers receivers which establish a connection with the command-and-control server. The server replies with the actual malicious payload, which includes JavaScript code, a user-agent string and URLs controlled by the malware author. The malware opens the URLs using the user agent that imitates a PC browser in a hidden webpage and receives a redirection to another website. Once the targeted website is launched, the malware uses the JavaScript code to locate and click on banners from the Google ads infrastructure.

“Upon clicking the ads, the malware author receives payment from the website developer, which pays for the illegitimate clicks and traffic.”