As many as 36.5 million Android users may have been infected by advertising fraud malware that could have been lurking in Google Play Store for years.
The malware, dubbed “Judy” by the researchers at Check Point who discovered it, was found in 41 apps in the Store, all made by Korean publisher ENISTUDIO. While Google has now pulled all the infected apps, the discovery and the extent of the outbreak cast serious doubt on the efficacy of the Chocolate Factory’s anti-malware checking system, Bouncer.
To bypass Bouncer, Google Play’s protection, the hackers create a seemingly benign bridgehead app, meant to establish connection to the victim’s device, and insert it into the app store, states Check Point’s advisory.
It silently registers receivers which establish a connection with the C&C server. The server replies with the actual malicious payload, which includes JavaScript code, a user-agent string and URLs controlled by the malware author. The malware opens the URLs using the user agent that imitates a PC browser in a hidden webpage, and receives a redirection to another website.
The malware then spams out adverts to the infected handset, some of which have to be clicked on by the user to get the home screen functional again. This drives revenue to the malware operator due to all the ad clicks.