Android apps punched out by Judy malware As many as 36.5 million Android users may have been infected by advertising fraud malware that could have been lurking in Google Play Store for years. The malware, dubbed "Judy" by the researchers at Check Point who discovered it, was found in 41 apps in the Store, all made by Korean publisher ENISTUDIO. While Google has now …
More of a question, what were the titles? I have seen a lot of ink on this but no one has stated what the apps were.
I know I am being lazy but the headlines indicate it is much more serious than it is as the posts do not mention what it does (bogus ad clicks) or what the apps are (games it looks like in this case). I hate the sky is falling particularly when I find out I am completely unaffected.
The titles are in the Checkpoint's advisory blog that is linked to in the article.
http://blog.checkpoint.com/2017/05/25/judy-malware-possibly-largest-malware-campaign-found-google-play/
Mainly ones with "Fashion Judy", "Animal Judy", "Chef Judy" & "Judy’s Spa Salon" in the title, but it also list some that don't (by the other developer that was mentioned)
That article of course has a link promoting their own security products to protect you (of course if it was that good, why did it take so long for them to find this).
My irritation is with the tendency of many sites to hype the problem without giving sufficient details to a reader to figure out if they are even remotely affected. At the Lurker's household we have Android phones. But none have any of these apps. But a couple of members, half panicked by the hysterical hype on some sites (not El Reg) were asking what to do. Since we were unaffected (none of the apps were ever installed) my answer was nothing.
The article clearly states that if you're infected you will be bombarded by advertising that you need to click away to reach the home screen. Are you bombarded by advertising that you need to click away to reach the home screen? If not then you are not infected, if you are then you should have realised you have a problem without the article.
Most apps on Play Store get completely hijacked by their own ad libraries. It has a rare trigger, so as to evade detection, but it eventually happens. Some are so well crafted that you don't notice the exact point where the advertisement has taken control. Maybe the only indication is that the system pull-down menu is no longer customized correctly or a transition animation isn't right. It's common enough that I do not install ad-supported software anymore.
Why all the downvotes? I just pulled apart a game that created a 24/7 background process that logged ever time you started ANY app (including unix shell commands [it logged my use of ssh], and a fair number of the IP addresses you connect to. This module was part of an ad company sdk. It also included a mechanism to ;ull in a bunch of blacklisted ip addresses, no clue what that was used for.
It's far from the first.
Going to this companies web site, you see their boasts how they provide app developers who use their system with all the apps installed, when they are used, and all web pages the user visits
They say 'with the users consent', but who would agree to that? It's probably buried deep in the terms and conditions.
They are just one of many to do this. I thought it was against googles policy for apps to run in the background without a persistent notification..
Can't. That's an administrative privilege which triggers a special warning. Greenify uses this privilege in non-root mode to force-close battery-chuggers. Furthermore, ad agencies tend to discredit zombie clicks since they can't trust that actual eyes saw the ads.
two-stage attack vector – insert a seemingly innocuous app that can then pull in a payload later on.
I dont really see what can be done to guard against that , not at the google shop stage.
all updates must come from the shop?
all apps only access the shop not the internet? not practical i think.
If the author of some app you've got decides to feed d you malware there nothing you can do apart from intercept it when it arrives - long after its left googles shop , so i dont see what google could've done about it.
Other app stores, and other Operating Systems have almost identical problems. Given enough obfuscation and a plan it should be relatively easy to hide malware in titles until you want them to trigger. If the malware is hidden/obfuscated well enough then it will get past automated scanners looking for it. The scanners can be updated but this is the same old problem with virus scanners - they are retrospective.
to be fair, the difference is, as an android user you have the personal control options to mitigate or eliminate risks as soon as you're aware of them
Apple, you're dependent on Cupertino choosing whether or not a particular attack vector is serious enough to modify your phone to prevent it-or if that particular vector is too valuable for Cupertino to exploit itself and allow it to keep open. No choice in the matter without absolutely violating any warranties and getting pretty much hosed for doing so.
Android phones, I've rooted, and then restored to factory settings if I screwed up-good enough to get the phone serviced under warranty. Apple devices, once jailbroken, Ive not been successful in un-jailbreaking in a manner good enough to get Apple to honor warranties or service on the device ever again.
Can't speak to Windows Phone. Other than with experience in Windows OS's from 3.1 up to 10
You could avoid all apps that have internet access, but you'll miss a lot of good apps that way. The internet is useful for more than delivering adverts.
You could avoid all apps with adverts and only buy apps. You'll miss a lot of good apps that let you pay to remove adverts and add extra functionality
Google Permisions could white-list and display which sites the app is allowed to connect to, with the popular ones given a friendly name 'Unity Adverts', 'Google Ads', http:myevilsite.com etc. Rather than all or nothing internet access.
Or perhaps the popular advert links could be listed in the Android settings and if you don't allow it, then any app that requests such a site will have to popup a request to unblock it on first use.
Basically an app-aware built-in rules-based firewall for Android.
While I initially agreed, the idea that only google whitelisted ads would be connected is one of the things wrong with the modern web.
Google has too much control over what gets seen on the web, both blocking content that doesnt pay their extortion and pushing rubbish we dont want because it has paid said extortion.. yet there is definitely a need to block malicious content - as far away from the end user as possible.
Third party filters are also a problem - just who is trustworthy?
Too hard for me, think I want to take up gardening
While the ads are downloaded, the code to open a hidden browser window, download a web page and render it, then show it over everything else is inside the original app. Very few apps legitimately need to do things like that and the page can be set to do anything in the future.
Why are we putting our faith in what is probably a giant regex string at Google's end?
or am part of the wrong demographic
every trojan android app story is for something Ive either never heard of or have no interest in downloading or trying.
so far anyways. I guess not being into kids' fad apps or "earn money by doing what you're already doing with this app" or "download an app for every stinkin' retailer you ever visit for a few pennies off" seems to help me avoid the lions' share.
Avoiding really obvious knockoffs seems to neutralize the rest.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
