The US-based cyber security service claimed that the malware had already spread to 36.5 million (3.65 crore) users, making it potentially the most widely-spread malware yet found on Google Play.
The malware “infected devices to generate large amounts of fraudulent clicks on advertisements, generating revenues for the perpetrators behind it”. These apps typically spanned the casual cooking and fashion games categories, under the “Judy” brand, the name that has now also been conferred on the malware now. Some apps that Checkpoint missed in their tally were Fashion Judy; Magic Girl Style and Fashion Judy; Masquerade Style.
In fact, one of these apps containing the malware was available on Google Play Store for over a year. However, Google removed the apps after being notified by Checkpoint.
Checkpoint explains that the viruses that came with these programmes went largely unnoticed because the programmes were installed through Google, the official source. The malware code was downloaded from a non-Google server. This code then enabled automatic clicks on Google ads through the phones for the vulnerable customer.
Check Point released this list of malicious apps developed by Kiniwini:
· Fashion Judy: Snow Queen Style
· Animal Judy: Persian cat care
· Fashion Judy: Pretty rapper
· Fashion Judy: Teacher style
· Animal Judy: Dragon care
· Chef Judy: Halloween Cookies
· Fashion Judy: Wedding Party
· Animal Judy: Teddy Bear care
· Fashion Judy: Bunny Girl Style
· Fashion Judy: Frozen Princess
· Chef Judy: Triangular Kimbap
· Chef Judy: Udong Maker – Cook
· Fashion Judy: Uniform style
· Animal Judy: Rabbit care
· Fashion Judy: Vampire style
· Animal Judy: Nine-Tailed Fox
· Chef Judy: Jelly Maker – Cook
· Chef Judy: Chicken Maker
· Animal Judy: Sea otter care
· Animal Judy: Elephant care
· Judy’s Happy House
· Chef Judy: Hotdog Maker – Cook
· Chef Judy: Birthday Food Maker
· Fashion Judy: Wedding day
· Fashion Judy: Waitress style
· Chef Judy: Character Lunch
· Chef Judy: Picnic Lunch Maker
· Animal Judy: Rudolph care
· Judy’s Hospital: Paediatrics
· Fashion Judy: Country style
· Animal Judy: Feral Cat care
· Fashion Judy: Twice Style
· Fashion Judy: Myth Style
· Animal Judy: Fennec Fox care
· Animal Judy: Dog care
· Fashion Judy: Couple Style
· Animal Judy: Cat care
· Fashion Judy: Halloween style
· Fashion Judy: EXO Style
· Chef Judy: Dalgona Maker
· Chef Judy: Service Station Food
· Judy’s Spa Salon
Eastern Shepherd Analysis of Root cause:
Google Bouncer Service, the Official Google Play Service which identifies malicious apps, failed to detect this adware / malware. Google Bouncer, the command & control communication mechanism which receives attacker's command dynamically during run time failed. This happened because of breach of trust by one of its app developers Korean Kiniwini registered as Enistudio Corp. What Enicorp did was provided a link to Google customers that circumvented Google Bouncer firewall. This enabled them to directly interface with Google customers to launch the adware for generating revenues.
Eastern Shepherd Recommends:
- To turn on Google play protect (for devices running android 7), which can be accessed through the google play store's app menu.
- To always browse an unsecured network via VPN.
- to check app permissions when they are downloaded
- To install Mobile Security Software.
- To keep the device updated. Check if the device is up-to-date with the latest software version as well as security patches.