Google has removed dozens of Android applications from its Play mobile application store after security vendor Check Point Software discovered the apps were infected with malware that trick users into clicking on ads on a massive scale.
Some of the applications that Check Point discovered appear to have been on Play store for several years and have been downloaded anywhere from 8.5 million times to 36.5 million times, the security vendor said in an alert this week.
The ad-clicking malware, which Check Point dubbed ‘Judy’, used infected devices to generate a large number of fraudulent clicks on ads posted through the Google’s network. The operators of the malware earned money for each fraudulent click, while advertisers who paid by click, lost money on each fraudulent impression.
Check Point described the discovery as likely the largest ever malware campaign uncovered on Google Play.
The malware was found on more than 40 applications belonging to a Korean company that appeared to be a formally registered business on Google Play, Check Point said. This Korean company makes mobile applications for both Android and IOS environments.
“It is important to note that the activity conducted by the malware is not borderline advertising, but definitely an illegitimate use of the users’ mobile devices for generating fraudulent clicks, benefiting the attackers,” Check Point said.
In addition to generating the fraudulent ad clicks, the Korean company’s apps also sometimes displayed multiple applications at once on a user’s mobile screen leaving them with no option but to click on the ads to exit, the alert said.
Besides the Korean apps, Check Point said it discovered several Android applications developed by other vendors, running the Judy malware as well.”The connection between the two campaigns remains unclear, and it is possible that one borrowed code from the other, knowingly or unknowingly,” Check Point’s mobile research team said in the alert.
Google uses a technology dubbed Bouncer to inspect all Android applications for malware and other potentially harmful code before allowing the app into Play store. In order to get around Bouncer the operators of Judy first uploaded a seemingly benign application to Google’s app store.
When a user downloaded the app, it promptly established a connection with a malicious server and downloaded the ad clicking malware from there. The malware would then use a series of subterfuges to locate and click on targeted banner ads in Google’s ad infrastructure Check Point said.
Google did not respond to a request seeking comment on Check Point’s discovery or on how the malicious behavior remained undetected for so long.
This is by far not the first time that security researchers have discovered Android apps on Play behaving in a malicious way. Google itself has frequently reiterated its commitment to ensuring that apps loaded to Play store are malware free. Just last week, the company announced Play Protect, a technology that continuously scans Android devices used in the workplace for malware and malicious behavior.
But almost as frequently as the company has updated its defenses, malware authors have been able to sneak past them. Earlier this year for instance Check Point discovered a new variant of a malware dubbed HummingBad in some 20 Android apps on Google Play, including some that had been downloaded millions of times. In March, Google scrambled to remove some 132 Android apps from Play after security vendor Palo Alto Network said it discovered the apps contained malware.
Google’s security researchers have often publicly called out other software vendors for security failures in their products. But as Check Point’s disclosure this week would suggest, Google itself, like every other vendor, appears to be having its own share of security problems.
