14 DAY TRIAL // What is believed to be one of the largest malware campaigns on Google Play Store has been discovered by security firm Checkpoint, which claims that around 36.5 million Android devices were infected with adware.
According to the report, more than 41 Android apps made by a Korean company and uploaded to the Google Play Store actually carry malicious code. They have managed to attract plenty of users interested in them and are making the authors loads of money by creating fake ad clicks from the infected devices.
Developed by Korean-based Kiniwini, all the malicious apps are published under the moniker ENISTUDIO. They all contain an adware program that's been dubbed Judy and is used to generate fraudulent clicks in exchange for ad revenue.
It's not just this particular developer that's running apps infected with Judy, but also other developers that inexplicably contain the same malware.
The malware has been dubbed Judy mostly because a good part of the apps published by Kiniwi contain the name, whether it's some variation of "Fashion Judy," "Chef Judy," or "Animal Judy."
How does it work?
"To bypass Bouncer, Google Play’s protection, the hackers create a seemingly benign bridgehead app, meant to establish connection to the victim’s device, and insert it into the app store," Checkpoint experts explain. "Once a user downloads a malicious app, it silently registers receivers which establish a connection with the C&C server. The server replies with the actual malicious payload, which includes JavaScript code, a user-agent string and URLs controlled by the malware author."
The malware then opens the URLs using the user agent that imitates a PC browser in a hidden webpage, receives a redirection to another website, which, as soon as it launches, the malware uses the JavaScript code to locate and click on banners from the Google ads infrastructure.
Each click brings revenue to the malware authors via the aforementioned website.