Google has cleared its Play Store of more than 40 Android apps that might make up the biggest ad fraud campaign ever on the platform.
The apps in question forced users to click on ads and judging by the number of installs, it's not a minor thing. Security company Check Point notes that the apps saw up to 18.5 million downloads and the malware infected up to 36 million users in total, so this scheme could well be the largest and most successful malware campaign to ever plague Google Play.
Possibly The Largest Android Malware Campaign Ever
"The malware, dubbed 'Judy,' is an auto-clicking adware which was found on 41 apps developed by a Korean company," reveals Check Point. "The malware uses infected devices to generate large amounts of fraudulent clicks on advertisements, generating revenues for the perpetrators behind it."
The apps came from South Korean company Kiniwini, registered as ENISTUDIO Corp. on Google Play. Most of those Android apps were games, hiding an illicit ad-clicking trick up their sleeve. Because the ad-clicking function emerged after the app's installation, Google's Bouncer technology was not able to detect the apps as adware and keep them off the Play Store.
Some of these apps had apparently been on the Play Store for years, but all of them received updates recently. Check Point could not determine for how long the rogue code hid inside the apps, so it remains unknown just how widespread the malware actually is.
Infected And Undetected
Once unsuspecting users installed one of the infected apps, the code for the ad-clicking function would insert itself and the apps would start opening webpages on the down low, in the background, without drawing any attention to what was really going on.
Check Point further notes that it found a number of other Play Store apps from different developers, packing the same malicious code. The company has yet to determine a clear link between the two campaigns, but speculates that one could have taken code from the other, either intentionally or not.
"Once the targeted website is launched, the malware uses the JavaScript code to locate and click on banners from the Google ads infrastructure," the security firm further explains.
The fraudsters behind this malware campaign would get money for every ad click, so the campaign was likely quite lucrative.
Forcing Users To Click Ads
The company also notes that in some cases, the apps would virtually force users to click ads because it would shove so many advertisements down their throats that it left them with basically no other options if they didn't want to quit the app.
Check Point notes that the malware dates back to at least April 2016, which means the campaign went under the radar for more than a year. The security firm alerted Google of the threat and more than 40 apps got kicked off the Play Store.
This type of ad-clicking malware is a master of disguise, however, which makes it extremely hard to detect and remove before it does any damage. Anti-virus programs don't typically detect such codes, so apps like these go undetected for a good while.