android-adware-malware
Security researchers have claimed to have discovered possibly the largest malware campaign on Google Play Store that has already infected around 36.5 million Android devices with malicious ad-click software.

The security firm Checkpoint on Thursday published a blog post revealing more than 41 Android applications from a Korean company on Google Play Store that make money for its creators by creating fake advertisement clicks from the infected devices.

All the malicious apps, developed by Korea-based Kiniwini and published under the moniker ENISTUDIO Corp, contained an adware program, dubbed Judy, that is being used to generate fraudulent clicks to generate revenue from advertisements.

Moreover, the researchers also uncovered a few more apps, published by other developers on Play Store, inexplicably containing the same the malware in them.
Cybersecurity

The connection between the two campaigns remains unclear, though researchers believe it is possible that one developer borrowed code from the other, "knowingly or unknowingly."
"It is quite unusual to find an actual organization behind the mobile malware, as most of them are developed by purely malicious actors," CheckPoint researchers say.
Apps available on play store directly do not contain any malicious code that helped apps to bypass Google Bouncer protections.
android-adware-malware

Once downloaded, the app silently registers user device to a remote command and control server, and in reply, it receives the actual malicious payload containing a JavaScript that starts the actual malicious process.
"The malware opens the URLs using the user agent that imitates a PC browser in a hidden webpage and receives a redirection to another website," the researchers say. "Once the targeted website is launched, the malware uses the JavaScript code to locate and click on banners from the Google ads infrastructure."
The malicious apps are actual legitimate games, but in the background, they act as a bridge to connect the victim's device to the adware server.
Cybersecurity

Once the connection is established, the malicious apps spoof user agents to imitate itself as a desktop browser to open a page and generate clicks.

Here's a list of malicious apps developed by Kiniwini and if you have any of these installed on your device, remove it immediately:

  • Fashion Judy: Snow Queen style
  • Animal Judy: Persian cat care
  • Fashion Judy: Pretty rapper
  • Fashion Judy: Teacher style
  • Animal Judy: Dragon care
  • Chef Judy: Halloween Cookies
  • Fashion Judy: Wedding Party
  • Animal Judy: Teddy Bear care
  • Fashion Judy: Bunny Girl Style
  • Fashion Judy: Frozen Princess
  • Chef Judy: Triangular Kimbap
  • Chef Judy: Udong Maker – Cook
  • Fashion Judy: Uniform style
  • Animal Judy: Rabbit care
  • Fashion Judy: Vampire style
  • Animal Judy: Nine-Tailed Fox
  • Chef Judy: Jelly Maker – Cook
  • Chef Judy: Chicken Maker
  • Animal Judy: Sea otter care
  • Animal Judy: Elephant care
  • Judy's Happy House
  • Chef Judy: Hotdog Maker – Cook
  • Chef Judy: Birthday Food Maker
  • Fashion Judy: Wedding day
  • Fashion Judy: Waitress style
  • Chef Judy: Character Lunch
  • Chef Judy: Picnic Lunch Maker
  • Animal Judy: Rudolph care
  • Judy's Hospital: Pediatrics
  • Fashion Judy: Country style
  • Animal Judy: Feral Cat care
  • Fashion Judy: Twice Style
  • Fashion Judy: Myth Style
  • Animal Judy: Fennec Fox care
  • Animal Judy: Dog care
  • Fashion Judy: Couple Style
  • Animal Judy: Cat care
  • Fashion Judy: Halloween style
  • Fashion Judy: EXO Style
  • Chef Judy: Dalgona Maker
  • Chef Judy: ServiceStation Food
  • Judy's Spa Salon

At least one of these apps was last updated on Play store in April last year, means the malicious apps were propagating for more than a year.

Google has now removed all above-mentioned malicious apps from Play Store, but since Google Bouncer is not sufficient to keep bad apps out of the official store, you have to be very careful about downloading apps.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.