On Tuesday, mobile security analysts at Check Point uncovered the innocuous-sounding Judy, code that’s infected at least 41 different apps on the Google Play Store, Android’s app marketplace. Once installed, Judy opens internet links and imitates the behavior of a PC, using JavaScript to hunt down and fraudulently click on ads served by Google’s advertising platform.
Most of Judy’s ad-serving occurs in the background, but the adware also injects a large number of advertisements into applications — in some cases leaving users no option but to click on them.
The endgame is to rake in revenue by infecting as many Android devices as possible, and the Judy hackers are well on their way. The malware bypassed Bouncer, Google’s AI-powered Play Store filter that automatically flags malware, by creating a benign “middleware” app that silently establishes a connection with a remote server and installs Judy’s code.
Making matters worse, many of the infected applications had high average Play Store user ratings — in some cases four out of five stars. “A high reputation does not necessarily indicate that the app is safe for use,” Check Point said. “Hackers can hide their apps’ real intentions or even manipulate users into leaving positive ratings, in some cases unknowingly. Users cannot rely on the official app stores for their safety, and should implement advanced security protections capable of detecting and blocking zero-day mobile malware.”
According to Checkpoint, Judy infected between 4.5 million and 18.5 million devices — some as early as April 2016. Most of the malicious apps were published by Korean company Kiniwini, but it’s unclear whether Enistudio, its parent company, was complicit — Check Point researchers discovered the Judy code in apps from unaffiliated developers, but suspect that it might have been shared by another hacking group.
Given the prevalence of malware like Judy, it’s no wonder that latest version of Android, Android O, doubles down on security. It introduces new and improved device encryption, tamper-resistant hardware, and in-app Safe Browsing, a Chrome browser feature that uses machine learning to alert you to potentially harmful web content.
The new security features build on Google’s efforts to harden Android against attackers. Google’s SafetyNet, which rolled out alongside Android Marshmallow last year, verifies that devices are what they claim to be. And Google is using machine learning and statistical analysis to pinpoint potentially harmful apps.
Google’s real-time, cloud-based security platform consists of more than 20,000 processors, the company said at its Google I/O developer conference in June, and scans more than 50 billion devices every day.
