back to article Android apps punched out by Judy malware

As many as 36.5 million Android users may have been infected by advertising fraud malware that could have been lurking in Google Play Store for years. The malware, dubbed "Judy" by the researchers at Check Point who discovered it, was found in 41 apps in the Store, all made by Korean publisher ENISTUDIO. While Google has now …

  1. Paratrooping Parrot
    Stop

    No Root Firewall

    This has been a godsend in reducing the amount of advertising. :)

    I have also stopped installing any software that contains advertising and would need internet connection.

    1. Anonymous Coward
      Anonymous Coward

      Re: No Root Firewall

      "More than 36 million users feared infected"

      Phewww. I thought it was nearer a billion devices infected with Slurp's Android spyware...

  2. a_yank_lurker Silver badge

    What were the titles?

    More of a question, what were the titles? I have seen a lot of ink on this but no one has stated what the apps were.

    I know I am being lazy but the headlines indicate it is much more serious than it is as the posts do not mention what it does (bogus ad clicks) or what the apps are (games it looks like in this case). I hate the sky is falling particularly when I find out I am completely unaffected.

    1. Coen Dijkgraaf
      Facepalm

      Re: What were the titles?

      The titles are in the Checkpoint's advisory blog that is linked to in the article.

      http://blog.checkpoint.com/2017/05/25/judy-malware-possibly-largest-malware-campaign-found-google-play/

      Mainly ones with "Fashion Judy", "Animal Judy", "Chef Judy" & "Judy’s Spa Salon" in the title, but it also list some that don't (by the other developer that was mentioned)

      That article of course has a link promoting their own security products to protect you (of course if it was that good, why did it take so long for them to find this).

      1. a_yank_lurker Silver badge

        Re: What were the titles?

        My irritation is with the tendency of many sites to hype the problem without giving sufficient details to a reader to figure out if they are even remotely affected. At the Lurker's household we have Android phones. But none have any of these apps. But a couple of members, half panicked by the hysterical hype on some sites (not El Reg) were asking what to do. Since we were unaffected (none of the apps were ever installed) my answer was nothing.

    2. iron Silver badge

      Re: What were the titles?

      The article clearly states that if you're infected you will be bombarded by advertising that you need to click away to reach the home screen. Are you bombarded by advertising that you need to click away to reach the home screen? If not then you are not infected, if you are then you should have realised you have a problem without the article.

      1. Anonymous Coward
        Holmes

        Re: What were the titles?

        @iron - just say "RTFA" next time. Save all that annoying typing.

  3. Kevin McMurtrie Silver badge

    Trying to make it sound unusual?

    Most apps on Play Store get completely hijacked by their own ad libraries. It has a rare trigger, so as to evade detection, but it eventually happens. Some are so well crafted that you don't notice the exact point where the advertisement has taken control. Maybe the only indication is that the system pull-down menu is no longer customized correctly or a transition animation isn't right. It's common enough that I do not install ad-supported software anymore.

    1. Anonymous Coward
      Holmes

      Re: Trying to make it sound unusual?

      Sounds like someone has been downloading a lot of silly games.

    2. Jamie Jones Silver badge

      Re: Trying to make it sound unusual?

      Why all the downvotes? I just pulled apart a game that created a 24/7 background process that logged ever time you started ANY app (including unix shell commands [it logged my use of ssh], and a fair number of the IP addresses you connect to. This module was part of an ad company sdk. It also included a mechanism to ;ull in a bunch of blacklisted ip addresses, no clue what that was used for.

      It's far from the first.

      Going to this companies web site, you see their boasts how they provide app developers who use their system with all the apps installed, when they are used, and all web pages the user visits

      They say 'with the users consent', but who would agree to that? It's probably buried deep in the terms and conditions.

      They are just one of many to do this. I thought it was against googles policy for apps to run in the background without a persistent notification..

  4. Suburban Inmate

    From time to time I get a stupid redirect to some ad shite (e.g. £500 voucher for Sainsbury Supermarket [sic] survey), usually when I stray from my usual few sites on Chrome. Would that be this or is it just the ads in the pages?

    1. Anonymous Coward
      Anonymous Coward

      Ads in pages.

  5. Anonymous Coward
    WTF?

    Apps, bloody apps

    Aside from Whatsapp (Android phone) and Kodi (Android PC), does anyone really need or want the contents of the Google play store? :)

    1. Pascal Monett Silver badge

      Do you have any idea of how many Whatsapp message notifications I get despite not having a Whatsapp account ?

      As far as I'm concerned, any app store is just a big Pandora's box that I can do without, thank you very much.

      Then again, I'm old enough to know how to use (and secure) a PC.

  6. Prst. V.Jeltz Silver badge

    malware missed a trick

    Wouldnt it be better , from the scammers pov , to have the malware click on the adds silently in the background to avoid pissing off your victims so much?

    1. Charles 9 Silver badge

      Re: malware missed a trick

      Can't. That's an administrative privilege which triggers a special warning. Greenify uses this privilege in non-root mode to force-close battery-chuggers. Furthermore, ad agencies tend to discredit zombie clicks since they can't trust that actual eyes saw the ads.

  7. Prst. V.Jeltz Silver badge

    what can you do?

    two-stage attack vector – insert a seemingly innocuous app that can then pull in a payload later on.

    I dont really see what can be done to guard against that , not at the google shop stage.

    all updates must come from the shop?

    all apps only access the shop not the internet? not practical i think.

    If the author of some app you've got decides to feed d you malware there nothing you can do apart from intercept it when it arrives - long after its left googles shop , so i dont see what google could've done about it.

    1. Uffish

      Re: "what google could've done about it."

      What they have done, perhaps a bit sooner.

      Google should (does?) take this seriously because a reputation for hosting shite is not what anyone wants.

    2. Adrian 4 Silver badge

      Re: what can you do?

      Doesn't Apple ban apps that have an execution environment ? Perhaps for this very reason ?

      1. Pascal Monett Silver badge

        Oh yeah, Apple can really be more trusted than Google.

        If you think either of them give one shit about you, you are sadly mistaken.

  8. Anonymous Coward
    Anonymous Coward

    Android really is a clusterf**k isn't it?

    ^ This.

    1. Nick Ryan Silver badge

      Re: Android really is a clusterf**k isn't it?

      Other app stores, and other Operating Systems have almost identical problems. Given enough obfuscation and a plan it should be relatively easy to hide malware in titles until you want them to trigger. If the malware is hidden/obfuscated well enough then it will get past automated scanners looking for it. The scanners can be updated but this is the same old problem with virus scanners - they are retrospective.

      1. Prst. V.Jeltz Silver badge

        Re: Android really is a clusterf**k isn't it?

        its more than that - How will the scanners scan for it if it hasnt even been written yet?

        The payload bay is at that point empty.

      2. Anonymous Coward
        Anonymous Coward

        Re: Android really is a clusterf**k isn't it?

        Don't have this on my Windows Phone, the store is completely empty of these type of app, well it's completely empty of any type of app, but malware free, which is unusual for Windows.

        Don't need no stinking apps anyway.

    2. Phukov Andigh Bronze badge

      Re: Android really is a clusterf**k isn't it?

      to be fair, the difference is, as an android user you have the personal control options to mitigate or eliminate risks as soon as you're aware of them

      Apple, you're dependent on Cupertino choosing whether or not a particular attack vector is serious enough to modify your phone to prevent it-or if that particular vector is too valuable for Cupertino to exploit itself and allow it to keep open. No choice in the matter without absolutely violating any warranties and getting pretty much hosed for doing so.

      Android phones, I've rooted, and then restored to factory settings if I screwed up-good enough to get the phone serviced under warranty. Apple devices, once jailbroken, Ive not been successful in un-jailbreaking in a manner good enough to get Apple to honor warranties or service on the device ever again.

      Can't speak to Windows Phone. Other than with experience in Windows OS's from 3.1 up to 10

  9. Michael Habel Silver badge

    Just One more reason

    Why everyone should be running AdAway.

    1. Michael Kean

      Re: Just One more reason

      AdAway needs root though. For the unrootable, AdGuard of almost as good. Have to get it as an apk though as Google won't allow it on the Play store for obvious reasons.

      1. Anonymous Coward
        Anonymous Coward

        Re: Just One more reason

        Oh? What's this, then?

        https://play.google.com/store/apps/details?id=com.adguard.android.contentblocker&hl=en

        And yes, it's current.

  10. Anonymous Coward
    Anonymous Coward

    You could avoid all apps that have internet access, but you'll miss a lot of good apps that way. The internet is useful for more than delivering adverts.

    You could avoid all apps with adverts and only buy apps. You'll miss a lot of good apps that let you pay to remove adverts and add extra functionality

    Google Permisions could white-list and display which sites the app is allowed to connect to, with the popular ones given a friendly name 'Unity Adverts', 'Google Ads', http:myevilsite.com etc. Rather than all or nothing internet access.

    Or perhaps the popular advert links could be listed in the Android settings and if you don't allow it, then any app that requests such a site will have to popup a request to unblock it on first use.

    Basically an app-aware built-in rules-based firewall for Android.

    1. the Jim bloke Silver badge

      While I initially agreed, the idea that only google whitelisted ads would be connected is one of the things wrong with the modern web.

      Google has too much control over what gets seen on the web, both blocking content that doesnt pay their extortion and pushing rubbish we dont want because it has paid said extortion.. yet there is definitely a need to block malicious content - as far away from the end user as possible.

      Third party filters are also a problem - just who is trustworthy?

      Too hard for me, think I want to take up gardening

  11. Stevie

    Bah!

    Read as far as "JavaScript" then skimmed the rest.

    JavaScript: the web attack vector of choice. Put some on your computer today.

    1. Naselus

      Re: Bah!

      "JavaScript: the web attack vector of choice."

      Thought Flash was still the lord and master of that particular contest.

      1. Danny 14

        Re: Bah!

        Flash is head to head with Java.

  12. Dan 55 Silver badge

    So much for the Bouncer

    While the ads are downloaded, the code to open a hidden browser window, download a web page and render it, then show it over everything else is inside the original app. Very few apps legitimately need to do things like that and the page can be set to do anything in the future.

    Why are we putting our faith in what is probably a giant regex string at Google's end?

  13. Phukov Andigh Bronze badge

    I must be using the wrong apps

    or am part of the wrong demographic

    every trojan android app story is for something Ive either never heard of or have no interest in downloading or trying.

    so far anyways. I guess not being into kids' fad apps or "earn money by doing what you're already doing with this app" or "download an app for every stinkin' retailer you ever visit for a few pennies off" seems to help me avoid the lions' share.

    Avoiding really obvious knockoffs seems to neutralize the rest.

    1. Jamie Jones Silver badge

      Re: I must be using the wrong apps

      If you have more than 10 apps installed, I BET at least one is grabbing information you don't know about!

  14. Anonymous Coward
    Anonymous Coward

    I think I'll buy a Microsoft desktop and Google mobile. Will proper save me dollar and be awesome.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022