May 26, 2017 by

Judy Malware May Have Affected 36.5 Million Android Devices

Researchers have discovered what could possibly be the “largest malware campaign found on Google Play”, a Korean auto-licking adware dubbed “Judy”.

While the newest wave of malware doesn’t extort victims via ransomware or credentials theft, it does propagate an auto-clicking adware to generate significant amounts of faux ‘clicks’ on advertisements to monetize its developers.

Researchers at Check Point have claimed that the malware ridden apps could have reached a mammoth spread between 4.5 million and 18.5 million downloads, according to data from Google Play.

The malicious apps have been available on Google Play for multiple years, according to Check Point, who further revealed that they were all updated recently. Still, the actual spread of the malware is a mystery, as researchers are yet to ascertain how long the malicious code has existed inside the apps.

Judy, like other successfully infiltrating Google Play malware before it, communicates with its Command and Control (C&C) server for its operation.

Researchers revealed the Judy’s exploit mechanism while operating on victims’ devices.

To bypass Bouncer, Google Play’s protection, the hackers create a seemingly benign bridgehead app, meant to establish connection to the victim’s device, and insert it into the app store. Once a user downloads a malicious app, it silently registers receivers which establish a connection with the C&C server. The server replies with the actual malicious payload, which includes JavaScript code, a user-agent string and URLs controlled by the malware author.

The malware then opens the URLs via the user agent to imitate a PC browser in a hidden webpage, which receives a redirect request to another website. When the website launches, the malware uses the JavaScript code embedded within to click on Google ads banners. The malware author receives payments from the developer of the website with the torrent of illegitimate clicks and traffic.

The same malware has been discovered in other applications developed separately by other devs. “The connection between the two campaigns remains unclear, and it is possible that one borrowed code from the other, knowingly or unknowingly,” researchers wrote.

The second campaign’s oldest app was last updated in April 2016. In other words, the malicious code has been available on the Play Store, undetected, for over a year. The second campaign’s download count of infected apps is anywhere between 4 and 18 million. Which leaves up to 36.5 million users possibly infected by the adware malware.

Upon learning of the threat from the researchers, Google has since removed the malicious apps from the Play Store.

Image credit: Pixabay.

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

Popular Freeware Site Found Hosting Bitcoin Stealing Malware

A dangerous bitcoin stealing malware that swaps user accounts with that of the attacker was...

Read more arrow_forward

Security Researchers Uncover ‘World’s Most Powerful Android Spyware’

Security researchers at Kaspersky have uncovered a new form of Android spyware with capabilities...

Read more arrow_forward

47 Million Emails/Day: Necurs Botnet Launches Massive Ransomware Campaign

A cybersecurity firm has revealed it has blocked as many as 47 million emails per day spewed by the...

Read more arrow_forward