Google Removes Play Store Malware Campaign that Infected as Many as 36.5 Million Users

Check Point security researchers recently uncovered a malware campaign on Google’s Play store that had already infected anywhere between 8.5 to 36.5 million users, as the malware was spread by several developers on the app store after a Korean company started using it. As many as 41 apps had the malware in them.

Possibly the biggest malware campaign on Google Play

Check Point researchers discovered the malware, dubbed “Judy”, inside of innocent looking apps, with names along the lines of “Chef Judy”, “Animal Judy”, and “Fashion Judy”. Once installed, the malware generated fraudulent clicks on advertisements, which then got the perpetrators behind it paid.

The apps infected with Judy malware were developed by a Korean company named Kiniwini, and published under “ENISTUDIO Corp” on Google Play. Security researchers found it unusual, as this is an actual company that develops apps for Android and iOS, and managed to get Judy anywhere between 4.5 and 18.5 million downloads.

Several other developers also used the malware in their apps, although it is unclear whether there is a connection between Kiniwini and these developers, or if they just borrowed the malicious code, knowingly or unknowingly. Nevertheless, Judy managed to reach between 8.5 and 36.5 million users. Check Point described it “possibly the biggest malware campaign on Google play.”

All of Kiniwini’s apps were recently updated, so it isn’t possible to tell how long Judy malware has been around the app store. In an app that wasn’t developed by the Korean company however, the last updated dated back to April 2016, meaning the malicious code has been around for at least a year.

Check Point’s blog post reads:

“Some of the apps we discovered resided on Google Play for several years, but all were recently updated. It is unclear how long the malicious code existed inside the apps, hence the actual spread of the malware remains unknown

Google reviews its apps through an automated system named Bouncer, but according to reports the hackers created a seemingly benign application that allowed them to bypass Bouncer. After finding out about the flaw, Check Point researchers quickly contacted Google, and the internet giant swiftly removed all Judy-related apps from the Google Play store.

Wary users

Overall, Kiniwini’s apps had positive ratings on the app store, as most users didn’t realize their phones had been hijacked so fraudulent advertisement clicks could be generated, and merely enjoyed the games they had downloaded.

A few users realized something was odd, as the apps asked for odd permissions, such as access to the user I.D. and call information – information a game shouldn’t require. Other users pointed out that they could barely play the game, as a black box appeared around the screen and ultimately forced them to click on ads.

Security researchers at Check Point pointed out that high reputation doesn’t mean an app is safe, as hackers can manipulate users into leaving positive ratings, while hiding their true intentions.

To stay safe, Check Point recommends users don’t just trust systems official app stores use, as more often than not malware manages to get through. The best way to prevent having your device compromised, is to implement security protections capable of detecting and blocking malware.

If you liked this article, follow us on Twitter @themerklenews and make sure to subscribe to our newsletter to receive the latest bitcoin, cryptocurrency, and technology news.