An enormous malware campaign targeting Android smartphones has been uncovered by researchers at a cybersecurity company. Dubbed “Judy,” the criminals behind the attack are using auto-clicking adware to generate fraudulent clicks on website ads and generate money.
The unprecedented scale of Judy was discovered by Check Point Security. A team of researchers found the malware hidden inside 41 apps developed by a software company based in South Korea. According to the report, the apps have seen an “astonishing” number of downloads. Estimates of Judy’s spread range from 4.5 million to 18.5 million devices.
Once activated, the malware starts to generate a very large number of fake clicks on online advertisements. In turn, these clicks deliver money to the hackers behind the campaign. By sneaking the malicious scripts into apps, the attackers can silently make money from ad providers. Check Point found a “large” revenue has been made because of the extensive spread of the malware.
When the user downloads the malicious app, it starts communications with a remote command and control server. The server recognizes the connection and sends the device the adware used in the attack. Through an ensuing system of redirects and some manipulation of how the phone appears to web servers, a target website is launched.
— Hector Luis Morales (@HectorLuisMora1) May 29, 2017
All the apps found to house the malware are disguised as innocuous children’s games. As they all contain the name “Judy” in their title, Check Point decided to name the campaign after the character that the apps feature as their protagonist. Amongst the titles are “Animal Judy: Teddy Bear care,” “Fashion Judy: Frozen Princess” and “Chef Judy: Birthday Food Maker.”
Check Point also discovered that a handful of apps from other developers contain the malware too. It is not clear whether the different vendors are connected. The company speculated that one campaign might have borrowed code from the other, intentionally or perhaps inadvertently stealing the attack scripts too. The team estimated that a total of between 8.5 and 36.5 million users are likely to have been affected by all the known apps combined.
Unusually, Check Point found that there is an actual developer behind the Judy apps. They are created by a Korean firm called Kiniwini, listed on the Play Store as ENISTUDIO. The company also builds apps for iOS devices. Check Point noted that most mobile malware is created by dedicated hackers, rather than developers looking for extra cash.
“It is quite unusual to find an actual organization behind mobile malware, as most of them are developed by purely malicious actors,” the company said. “It is important to note that the activity conducted by the malware is not borderline advertising, but definitely an illegitimate use of the users’ mobile devices for generating fraudulent clicks, benefiting the attackers.”
Judy is causing concern because the suspect apps have remained in the Google Play Store undetected for a considerable length of time. Because they’re offered from the Play Store, even careful users who don’t get apps from unofficial sources could be affected. The oldest discovered app was last updated in April 2016. This suggests the campaign has been active for at least a year, during which Google hasn’t identified the fraud against its ad platform.
Check Point alerted Google to the dangers of the Judy apps as soon as it uncovered the threat. The company responded rapidly, and all of the apps have now been delisted from the store. Google hasn’t commented on the threat or how “Judy” went undetected for so long, despite most of the apps having 4 or 5-star reviews.
Check Point warned users to remain vigilant and use security tools capable of detecting zero-day mobile malware. You should also check the permissions that an app requires before installing it, although in this case there was little to indicate that the games were anything other than innocent children’s fun.
[Featured Image by rvlsoft/Thinkstock]