Security researchers have claimed to have discovered possibly the largest malware campaign on Google Play Store that has already infected around 36.5 million Android devices with malicious ad-click software.
The security firm Checkpoint on Thursdaypublished a blog post revealing more than 41 Android applications from a Korean company on Google Play Store that make money for its creators by creating fake advertisement clicks from the infected devices.
All the malicious apps, developed by Korea-based Kiniwini and published under the moniker ENISTUDIO Corp, contained an adware program, dubbed Judy, that is being used to generate fraudulent clicks to generate revenue from advertisements.
Moreover, the researchers also uncovered a few more apps, published by other developers on Play Store, inexplicably containing the same the malware in them.
The connection between the two campaigns remains unclear, though researchers believe it is possible that one developer borrowed code from the other, "knowingly or unknowingly."
"It is quite unusual to find an actual organization behind the mobile malware, as most of them are developed by purely malicious actors," CheckPoint researchers say.
Apps available on play store directly do not contain any malicious code that helped apps to bypass Google Bouncer protections.
Once downloaded, the app silently registers user device to a remote command and control server, and in reply, it receives the actual malicious payload containing a JavaScript that starts the actual malicious process.
"The malware opens the URLs using the user agent that imitates a PC browser in a hidden webpage and receives a redirection to another website," the researchers say. "Once the targeted website is launched, the malware uses the JavaScript code to locate and click on banners from the Google ads infrastructure."
The malicious apps are actual legitimate games, but in the background, they act as a bridge to connect the victim’s device to the adware server.
Once the connection is established, the malicious apps spoof user agents to imitate itself as a desktop browser to open a page and generate clicks.
Here’s a list of malicious apps developed by Kiniwini and if you have any of these installed on your device, remove it immediately:
Fashion Judy: Snow Queen styleAnimal Judy: Persian cat careFashion Judy: Pretty rapperFashion Judy: Teacher styleAnimal Judy: Dragon careChef Judy: Halloween CookiesFashion Judy: Wedding PartyAnimal Judy: Teddy Bear careFashion Judy: Bunny Girl StyleFashion Judy: Frozen PrincessChef Judy: Triangular KimbapChef Judy: Udong Maker – CookFashion Judy: Uniform styleAnimal Judy: Rabbit careFashion Judy: Vampire styleAnimal Judy: Nine-Tailed FoxChef Judy: Jelly Maker – CookChef Judy: Chicken MakerAnimal Judy: Sea otter careAnimal Judy: Elephant careJudy’s Happy HouseChef Judy: Hotdog Maker – CookChef Judy: Birthday Food MakerFashion Judy: Wedding dayFashion Judy: Waitress styleChef Judy: Character LunchChef Judy: Picnic Lunch MakerAnimal Judy: Rudolph careJudy’s Hospital: PediatricsFashion Judy: Country styleAnimal Judy: Feral Cat careFashion Judy: Twice StyleFashion Judy: Myth StyleAnimal Judy: Fennec Fox careAnimal Judy: Dog careFashion Judy: Couple StyleAnimal Judy: Cat careFashion Judy: Halloween styleFashion Judy: EXO StyleChef Judy: Dalgona MakerChef Judy: ServiceStation FoodJudy’s Spa Salon
At least one of these apps was last updated on Play store in April last year, means the malicious apps were propagating for more than a year.
Google has now removed all above-mentioned malicious apps from Play Store, but since Google Bouncer is not sufficient to keep bad apps out of the official store, you have to be very careful about downloading apps.
Comments
Post a Comment