There’s a new piece of Android malware on the loose and it’s a doozy. Originally discovered by researchers at Check Point last week, the malware has been dubbed “Judy” and is potentially one of the most widely spread pieces of Android malware we’ve seen to date. It’s currently believed that upwards of 36.5 million Android devices may have already been infected.
According to Check Point, the malware — which is seemingly designed to underhandedly generate ad revenue — was found lurking on 41 separate apps on the Google Play Store and was apparently able to skirt around Google’s Bouncer system. Notably, some of the offending apps have been available for download for years, though at this point it remains unclear if the malware was always present or perhaps inserted later on via a software update.
“The malware uses infected devices to generate large amounts of fraudulent clicks on advertisements, generating revenues for the perpetrators behind it,” the security report reads.
As for how the malware operates, Check Point explains:
Once a user downloads a malicious app, it silently registers receivers which establish a connection with the C&C server. The server replies with the actual malicious payload, which includes JavaScript code, a user-agent string and URLs controlled by the malware author. The malware opens the URLs using the user agent that imitates a PC browser in a hidden webpage and receives a redirection to another website. Once the targeted website is launched, the malware uses the JavaScript code to locate and click on banners from the Google ads infrastructure.
Upon clicking the ads, the malware author receives payment from the website developer, which pays for the illegitimate clicks and traffic.
Notably, Google is aware of the malware campaign and has removed the offending apps from its online store.
As for the perpetrators behind the malware campaign, all we know at this point is that the malicious apps originate from a Korean company that develops apps for both iOS and Android.