After WannaCry's sizable impact on many Windows machines around the world, details have been revealed of a malware campaign targeting Android devices through the Google Play Store. The auto-clicking adware, named 'Judy', was discovered by the IT security firm, Check Point. It is estimated to have affected between 8.5 and 36.5 million users.
Judy seems to be stemming from about 41 apps made by a Korean company. There are other apps from different developers that seem to share the infected code, but Check Point was unable to verify whether those third parties had colluded with the Korean firm. The malware relies on communication with its Command and Control server (C&C) for its operation.
Check Point explained the working of Judy:
To bypass Bouncer, Google Play’s protection, the hackers create a seemingly benign bridgehead app, meant to establish connection to the victim’s device, and insert it into the app store. Once a user downloads a malicious app, it silently registers receivers which establish a connection with the C&C server. The server replies with the actual malicious payload.
The malware, then, uses [the] infected devices to generate large amounts of fraudulent clicks on advertisements, generating revenues for the perpetrators behind it.
While now removed by Google, the apps were downloaded between 4.5 million and 18.5 million times before being taken down. All of these apps were updated recently, making it difficult for the security company to calculate Judy's exact impact and reach. It is also tricky to determine exactly when the malicious code was injected into the apps. The creator of the malware is a company named Kiniwini, registered on Google Play as ENISTUDIO corp. The company makes apps for iOS as well as Android. However, Judy's impact appears to be limited to only Android devices.
Android is notorious for leaving a majority of devices hanging when it comes to security updates and while Google is taking steps to improve security on Android devices, and on its Google Play Store, there's clearly room for further improvement.
Source: Check Point