As many as 36.5 million Android users may have been infected by advertising fraud malware that could have been lurking in Google Play Store for years.
The malware, dubbed "Judy" by the researchers at Check Point who discovered it, was found in 41 apps in the Store, all made by Korean publisher ENISTUDIO. While Google has now pulled all the infected apps, the discovery and the extent of the outbreak cast serious doubt on the efficacy of the Chocolate Factory's anti-malware checking system, Bouncer.
"To bypass Bouncer, Google Play's protection, the hackers create a seemingly benign bridgehead app, meant to establish connection to the victim's device, and insert it into the app store," states Check Point's advisory.
The malware then spams out adverts to the infected handset, some of which have to be clicked on by the user to get the home screen functional again. This drives revenue to the malware operator due to all the ad clicks.
The news came barely a month after a similar malware infestation in the Play Store was discovered in 49 rogue apps. Once again the malware was able to evade Google's checking systems by using the two-stage attack vector – insert a seemingly innocuous app that can then pull in a payload later on.
The Judy case also highlights the importance of checking information on apps before downloading. While many of the infected pieces of software had good ratings from users – at least four out of five in some places – there were also clues in the user comments section about the enormous number of advertisements the apps were generating.
Google has made much of the safety of the Play Store in recent years, after a rocky start that saw its online marketplace prove to be a lot less safe than Apple's shopfront. Based on recent history, the Play Store may be gaining its old reputation back. ®