Google removed apps from Google Play after being alerted to their existence. Check Point says, but not before they reached an astonishing spread between 4.5 million and 18.5 million downloads. Available on the store for several years and updated recently.
Moreover, 36.5 million Android devices infected by malware. Produced fake ad clicks and lined the pockets of its developers.
Check Point verified 41 apps developed by Korea-based Kiniwini and published under the moniker ENISTUDIO Corp. Infected devices to generate large amounts of fraudulent clicks on advertisements. That generates revenues for the perpetrators behind it.
But those download numbers mean “the total spread of the malware may have reached between 8.5 and 36.5 million users.”
Malware was dubbed Judy by Check Point after the title character in Kiniwini’s apps. Chef Judy: Picnic Lunch Maker, for example, encourages players to “create delicious food with Judy.” But Judy-themed games ran the gamut, from “Animal Judy” and “Fashion Judy.”
How does Judy infect your device?
Hackers create innocuous app around Google’s Bouncer security screening and added to an app store.
Check Point likens Judy to two previous exploits: FalseGuide and Skinner. And like another bug, DressCode, Judy hid behind good reviews. “Hackers can hide their apps’ real intentions or even manipulate users into leaving positive ratings, in some cases unknowingly.
However, Users cannot rely on the official app stores for their safety, and should implement advanced security protections capable of detecting and blocking zero-day mobile malware,” Check Point says.
Kiniwini develops apps for iOS and Android, Check Point says, but it did not mention any problems with the iOS apps. As of Sunday afternoon, 45 ENISTUDIO Corp. Judy apps available in the App Store, most of which appear updated on March 31.