Android OS is currently the most widely used mobile operating system in the world today. As the world gets more data-driven, users are storing more and more sensitive information on their devices.
As such, it is worrying that Android users are encountering new security threats that target Google’s mobile platform on a regular basis.
Computer security researchers at CheckPoint recently announced that they have discovered a massive malware campaign on Google’s official app store, Google Play.The malware has been dubbed “Judy,” and the researchers touched on the possibility of this malware campaign being the largest of its kind on Google Play currently.
The malware belongs to the class of software known as auto-clicking adware. It functions to generate large amounts of false clicks on advertisements through the infected Android devices. It is a significant source of fraudulent revenue for the actors behind it.
The malware was located on 41 different apps developed by a Korean firm called Kiniwini, which appears on Google Play Store as ENISTUDIO Corp. The firm creates apps for both Android and iOS operating systems. Interestingly, some of the affected apps have high ratings on the app store.
According to the researchers, the malicious apps achieved a spread of between 4.5 million and 18.5 million downloads.
The researchers advised that positive ratings do not indicate that an app is safe to download.
Hackers have been known to mask their intentions and, in some cases, manipulate users into awarding high ratings. Some Android users have reported the suspicious activities of the Judy malware.
Some of the apps containing the malware have been on Google Play for a number of years. However, all the apps had recently been updated. The actual spread of the malware could possibly be higher since no one knows conclusively how long the malicious code has been inside the apps.
The researchers also discovered a number of apps that were not developed by the Korean company but contained the malicious software. At the moment, the connection between these two campaigns has not been established.
There is speculation that it could be a case of borrowed code. The secondary developers may or may not have been complacent in this malware campaign.
The second group of apps achieved a spread of between 4 and 18 million downloads. This means that the total reach of the Judy malware could be between 8.5 and 36.5 million Android users.
The operations of the Judy malware are dependent on direct communication with its Command and Control server (C&C). The hackers were able to bypass Google’s Bouncer protection through a smart technique.
Google’s Bouncer service was developed to analyze apps and flag any that contain malicious code before they’re approved for entry into the app store. The service was developed after critics raised concerns about Android’s security compared to its key rival, Apple iOS.
The hackers bypassed this security system by developing a seemingly harmless bridgehead app, which establishes a connection to the target device, and inserts it into Google Play.
The app secretly registers receivers once an unsuspecting user downloads it. A connection is then established with the Command and Control server. The malicious payload containing JavaScript code, actor-controlled URLs, and a user-agent string is then sent to the victim device from the server end.
At this point, the malware employs the user-agent to open the URLs in a concealed webpage. It then uses the JavaScript code to locate and click on Google ads banners once the target website has been launched.
The authors behind the malware then receive payment from the website developer once the code clicks on the ads. The malicious script locates the target ads via a search for iframes with ads from Google infrastructure.
According to CheckPoint researchers, the reach of this malware means that the authors behind it may be generating large amounts of money.
The research team briefed Google on the situation, and the search engine giant has already removed many of the apps containing the malware from Google Play Store.
These developments indicate that users cannot fully depend on app stores for device security and they should implement cyber security safety practices.