Possibly the largest Android malware ever, 'Judy' infects ~36 million phones and tabs
According to security research firm Check Point, a new malware nicknamed 'Judy' is affecting large number of Android devices all over the world. The malware generates fraudulent clicks on in-app advertisements resulting into large amount of illegal revenue for the publisher. The malware was found to be distributing with about 41 apps published on Google Play store. What's worse is that these apps are massively popular and have a reach of about 36 million phones globally.
Check Point further claims that some of these apps have been lying in the Play Store for a long time, and the publisher had recently updated all of them. But the spread of malware doesn't stop there. Check Point further observes that there are other app publishers who have published apps with Judy malware. These app developers could have borrowed the code from the original publisher either knowingly or unknowingly.
The Judy malware functions similar to the earlier malware like FalseGuide and Skinner. It receives communication from C&C aka Command and Control server operated by the malware author. Google was prompt to remove these apps from the Play Store after Check Point informed Google about these apps.
The way Judy operates is very interesting. First, the malware must bypass Google's security check so that it can be published on Play Store. The publishers therefore created a seemingly simple, benign app that bypasses Google's 'Bouncer' protection. Once the user installs the app, it then establishes a connection privately with the C&C server and downloads the malicious code. This code includes JavaScript, user agent string and URLs that are controlled by the publisher.
Once the malicious code is installed on the user's device, the JS code finds out the advertisements on the app and clicks on them. It does so by locating the iframe that embeds Google Adsense advertisements. Each click results into revenues for the publisher. Because of the huge reach of the infected apps, these fraudulent clicks have generated large amount of revenues for the publishers.
Check Point further mentions that all these malicious apps were published on Play Store by a Korean company called Kiniwini. They are registered on the Google Play Store as 'ENISTUDIO Corp.' The publishers went ahead a step and showed large number of advertisements on their app; which results into users clicking on the ads involuntarily. It's surprising that most of these infected apps have large number of positive ratings in the store. But as with the 'DressCode' app, it's now clear that an app with positive ratings need not necessarily be an app safe to use.
If you've installed the app on your phone, we strongly advise you to remove it as soon as possible. For details of the Judy malware, please head over to the official source link below.
Source: blog.checkpoint.com
Check Point further claims that some of these apps have been lying in the Play Store for a long time, and the publisher had recently updated all of them. But the spread of malware doesn't stop there. Check Point further observes that there are other app publishers who have published apps with Judy malware. These app developers could have borrowed the code from the original publisher either knowingly or unknowingly.
The Judy malware functions similar to the earlier malware like FalseGuide and Skinner. It receives communication from C&C aka Command and Control server operated by the malware author. Google was prompt to remove these apps from the Play Store after Check Point informed Google about these apps.
The way Judy operates is very interesting. First, the malware must bypass Google's security check so that it can be published on Play Store. The publishers therefore created a seemingly simple, benign app that bypasses Google's 'Bouncer' protection. Once the user installs the app, it then establishes a connection privately with the C&C server and downloads the malicious code. This code includes JavaScript, user agent string and URLs that are controlled by the publisher.
Once the malicious code is installed on the user's device, the JS code finds out the advertisements on the app and clicks on them. It does so by locating the iframe that embeds Google Adsense advertisements. Each click results into revenues for the publisher. Because of the huge reach of the infected apps, these fraudulent clicks have generated large amount of revenues for the publishers.
Check Point further mentions that all these malicious apps were published on Play Store by a Korean company called Kiniwini. They are registered on the Google Play Store as 'ENISTUDIO Corp.' The publishers went ahead a step and showed large number of advertisements on their app; which results into users clicking on the ads involuntarily. It's surprising that most of these infected apps have large number of positive ratings in the store. But as with the 'DressCode' app, it's now clear that an app with positive ratings need not necessarily be an app safe to use.
If you've installed the app on your phone, we strongly advise you to remove it as soon as possible. For details of the Judy malware, please head over to the official source link below.
Source: blog.checkpoint.com
Replies
You are reading an archived discussion.
Related Posts
The drones have begun invading the open skies and that means the drones need to be smarter enough to navigate on their own and land safely without any human intervention....
One of the major aims of deep space exploration seems to be finding a planet that is habitable and humans can live on it. I'm wondering if there's any 'need'...
Mukesh Ambani-led Reliance Jio is likely to launch the Fiber To The Home (FTTH) service in India by Diwali this year; and if the sources are to be believed, the...
After getting his degree in Electrical and Electronics Engineering in 2011, Bharath Hegde started a company called FourKubes with his college friend. After making it successful, in January 2015, Bharath...
Last week one challenge was given by Election commission of india to all the parties to hack the EVM. But one of the condition was not to touch EVM. I...