Android Malware Infects 36.5M Devices

Tuesday, May 30, 2017 @ 05:05 PM gHale

One of the largest malware campaigns on Google Play Store ended up discovered where 36.5 million Android devices suffered an adware infection.

Over 41 Android apps made by a Korean company and uploaded to the Google Play Store actually carry malicious code, said researchers at Check Point.

Android Faces New Type of Attacks
Fingerprint Support for Authenticator App
Adware Attacks from Google Play Apps
Android Mediaserver gets Google Fixes

They attracted plenty of users interested in them and are making the authors a ton of money by creating fake ad clicks from the infected devices, the researchers said in a blog post.

Developed by Korean-based Kiniwini, all the malicious apps are published under the moniker ENISTUDIO. They all contain an adware program called Judy and it generates fraudulent clicks in exchange for ad revenue.

It’s not just this developer that’s running apps infected with Judy, but also other developers that inexplicably contain the same malware.

The malware has been dubbed Judy mostly because a good part of the apps published by Kiniwi contain the name, whether it’s some variation of “Fashion Judy,” “Chef Judy,” or “Animal Judy.”

“To bypass Bouncer, Google Play’s protection, the hackers create a seemingly benign bridgehead app, meant to establish connection to the victim’s device, and insert it into the app store,” Check Point researchers said. “Once a user downloads a malicious app, it silently registers receivers which establish a connection with the C&C server. The server replies with the actual malicious payload, which includes JavaScript code, a user-agent string and URLs controlled by the malware author.”

The malware then opens the URLs using the user agent that imitates a PC browser in a hidden webpage, receives a redirection to another website, which, as soon as it launches, the malware uses the JavaScript code to locate and click on banners from the Google ads infrastructure.

Each click brings revenue to the malware authors via the website.

Leave a Reply

You must be logged in to post a comment.