Researchers at Check Point, which recently reported malicious subtitles, have now reported a new malware campaign on Google Play. Dubbed 'Judy', the auto-clicking adware was found on 41 apps developed by a Korean company, according to researchers.
The malware used infected devices to generate fraudulent clicks on advertisements for generating revenues. Researchers claim that the 'Judy' malware has affected between 8.5 million and 36.5 million Android devices as the malicious apps saw downloads between 4.5 million and 18.5 million. Notably, Google removed the malicious apps from the Google Play store after Check Point notified it about the threat.
"Some of the apps we discovered resided on Google Play for several years, but all were recently updated. It is unclear how long the malicious code existed inside the apps, hence the actual spread of the malware remains unknown," writes Check Point team talking about the Judy malware.
Researchers also found several apps containing Judy malware developed by other developers on Google Play. Though, any connection between the two malware campaigns couldn't be established. "The connection between the two campaigns remains unclear, and it is possible that one borrowed code from the other, knowingly or unknowingly," adds the team.
Check Point reported that the oldest app in the second campaign from other developers were last updated in April 2016 which means that the "malicious code hid for a long time on the Play store undetected."
Researchers also add that similar to previously reported malicious apps like FalseGuide, Judy also relies on the communication with its Command and Control server (C&C) for its operation.
Check Point last month reported FalseGuide botnet malware which infected millions of Android devices via Google Play, and which was hidden in over 40 guide apps for games in Google Play.
According to a security source, the researchers also uncovered a few more apps, published by other developers on Play Store, inexplicably containing the same the malware in them.
The connection between the two campaigns remains unclear, though researchers believe it is possible that one developer borrowed code from the other, "knowingly or unknowingly."
"It is quite unusual to find an actual organization behind the mobile malware, as most of them are developed by purely malicious actors," CheckPoint researchers say.
Apps available on play store directly do not contain any malicious code that helped apps to bypass Google Bouncer protections.
Once downloaded, the app silently registers user device to a remote command and control server, and in reply, it receives the actual malicious payload containing a JavaScript that starts the actual malicious process.
"The malware opens the URLs using the user agent that imitates a PC browser in a hidden webpage and receives a redirection to another website," the researchers say. "Once the targeted website is launched, the malware uses the JavaScript code to locate and click on banners from the Google ads infrastructure."
The malicious apps are actual legitimate games, but in the background, they act as a bridge to connect the victim’s device to the adware server.
Once the connection is established, the malicious apps spoof user agents to imitate itself as a desktop browser to open a page and generate clicks.
Here’s a list of malicious apps developed by Kiniwini and if you have any of these installed on your device, remove it immediately:
INFECTED & MALICIOUS APPS
At least one of these apps was last updated on Play store in April last year, means the malicious apps were propagating for more than a year.
MUST READ... 8 Ways To Keep Your Smartphone and PC Safe From Virus Attack
Google has now removed all above-mentioned malicious apps from Play Store, but since Google Bouncer is not sufficient to keep bad apps out of the official store, you have to be very careful about downloading apps.
The malware used infected devices to generate fraudulent clicks on advertisements for generating revenues. Researchers claim that the 'Judy' malware has affected between 8.5 million and 36.5 million Android devices as the malicious apps saw downloads between 4.5 million and 18.5 million. Notably, Google removed the malicious apps from the Google Play store after Check Point notified it about the threat.
"Some of the apps we discovered resided on Google Play for several years, but all were recently updated. It is unclear how long the malicious code existed inside the apps, hence the actual spread of the malware remains unknown," writes Check Point team talking about the Judy malware.
Researchers also found several apps containing Judy malware developed by other developers on Google Play. Though, any connection between the two malware campaigns couldn't be established. "The connection between the two campaigns remains unclear, and it is possible that one borrowed code from the other, knowingly or unknowingly," adds the team.
Check Point reported that the oldest app in the second campaign from other developers were last updated in April 2016 which means that the "malicious code hid for a long time on the Play store undetected."
Researchers also add that similar to previously reported malicious apps like FalseGuide, Judy also relies on the communication with its Command and Control server (C&C) for its operation.
Check Point last month reported FalseGuide botnet malware which infected millions of Android devices via Google Play, and which was hidden in over 40 guide apps for games in Google Play.
According to a security source, the researchers also uncovered a few more apps, published by other developers on Play Store, inexplicably containing the same the malware in them.
The connection between the two campaigns remains unclear, though researchers believe it is possible that one developer borrowed code from the other, "knowingly or unknowingly."
"It is quite unusual to find an actual organization behind the mobile malware, as most of them are developed by purely malicious actors," CheckPoint researchers say.
Apps available on play store directly do not contain any malicious code that helped apps to bypass Google Bouncer protections.
Once downloaded, the app silently registers user device to a remote command and control server, and in reply, it receives the actual malicious payload containing a JavaScript that starts the actual malicious process.
"The malware opens the URLs using the user agent that imitates a PC browser in a hidden webpage and receives a redirection to another website," the researchers say. "Once the targeted website is launched, the malware uses the JavaScript code to locate and click on banners from the Google ads infrastructure."
The malicious apps are actual legitimate games, but in the background, they act as a bridge to connect the victim’s device to the adware server.
Once the connection is established, the malicious apps spoof user agents to imitate itself as a desktop browser to open a page and generate clicks.
Here’s a list of malicious apps developed by Kiniwini and if you have any of these installed on your device, remove it immediately:
INFECTED & MALICIOUS APPS
- Fashion Judy: Snow Queen style
- Animal Judy: Persian cat care
- Fashion Judy: Pretty rapper
- Fashion Judy: Teacher style
- Animal Judy: Dragon care
- Chef Judy: Halloween Cookies
- Fashion Judy: Wedding Party
- Animal Judy: Teddy Bear care
- Fashion Judy: Bunny Girl Style
- Fashion Judy: Frozen Princess
- Chef Judy: Triangular Kimbap
- Chef Judy: Udong Maker – Cook
- Fashion Judy: Uniform style
- Animal Judy: Rabbit care
- Fashion Judy: Vampire style
- Animal Judy: Nine-Tailed Fox
- Chef Judy: Jelly Maker – Cook
- Chef Judy: Chicken Maker
- Animal Judy: Sea otter care
- Animal Judy: Elephant care
- Judy’s Happy House
- Chef Judy: Hotdog Maker – Cook
- Chef Judy: Birthday Food Maker
- Fashion Judy: Wedding day
- Fashion Judy: Waitress style
- Chef Judy: Character Lunch
- Chef Judy: Picnic Lunch Maker
- Animal Judy: Rudolph care
- Judy’s Hospital: Pediatrics
- Fashion Judy: Country style
- Animal Judy: Feral Cat care
- Fashion Judy: Twice Style
- Fashion Judy: Myth Style
- Animal Judy: Fennec Fox care
- Animal Judy: Dog care
- Fashion Judy: Couple Style
- Animal Judy: Cat care
- Fashion Judy: Halloween style
- Fashion Judy: EXO Style
- Chef Judy: Dalgona Maker
- Chef Judy: ServiceStation Food
- Judy’s Spa Salon
At least one of these apps was last updated on Play store in April last year, means the malicious apps were propagating for more than a year.
MUST READ... 8 Ways To Keep Your Smartphone and PC Safe From Virus Attack
Google has now removed all above-mentioned malicious apps from Play Store, but since Google Bouncer is not sufficient to keep bad apps out of the official store, you have to be very careful about downloading apps.
gud information
ReplyDeleteAnother recovery from the world of Android.
ReplyDeleteBut let's not forget that there is another malware more dangerous than RANSOMEWARE.
Good update
ReplyDeleteTumbs Up bro 👍👍👍
ReplyDeleteThanks for the update wizy
ReplyDeleteI clearly noted few of this malware thanks once again
Could you please educate us on the best option on how to run two different Antivirus programs in one system.
ReplyDeleteStill waiting patiently for your response.
Delete