Last month’s ransomware attack “WannaCry” locked out many computers across the world and spread chaos in the hospitality and banking sector. One would have thought that internet security agents would have learned their lessons. However just as the world was reeling from the attack, a new malicious code is threatening to wreck the security dome of cyberspace. Labelled ‘Judy’ many experts have said that it is possibly the largest malware attack to hit Android’s Google Play. This raises concerns as Android operated phones now cross over 2 billion.

The security firm Checkpoint reported ‘Judy’ has infected about 36.5 million handsets across the world with its malicious ad-click software. The malware is an auto-clicking adware which was found on 41 apps developed by a Korean company. The malware is known to have infected devices to generate large amounts of fraudulent clicks on advertisements, generating revenues for the organizers behind it. Some of the apps resided in Google Play for several years, but all were recently updated.

The concerning issue has been that several apps which were found to be infected have been made by other developers on Google Play. This raises issues about the actual spread of the malware, which remains unknown but could be more widespread than believed. The previous malware infiltrators Falseguide and Skinner had also managed to infect various handsets.

It is worth noting that Falseguide requests an unusual permission on installation – ‘device admin permission’. This admin permission allows it to receive messages containing links to additional module. Depending on the attacker’s objective, these modules can contain highly malicious code to root the device, conduct a DDos attack or even penetrate the private networks of the user.

How Judy Operates

To bypass the Google Play protection security hackers create an app which is downloaded. It silently registers receivers which establish a connection with the C&C server. “The server replies with the actual malicious payload, which includes JavaScript code, a user-agent string and URLs controlled by the malware author. The malware opens the URLs using the user agent that imitates a PC browser in a hidden webpage and receives a redirection to another website. Once the targeted website is launched, the malware uses the JavaScript code to locate and click on banners from the Google ads infrastructure.” Judy displays a large number of advertisements that in some cases leave users with no option of clicking the ad itself.

It is reported that the malicious apps are all developed by a Korean Company named Kiniwini, registered in Google Play as ENISTUDIO corp.

Apps with a high rating are not necessarily safe ones on Google Play either. Hackers can target the un-suspicious apps and find their ways into your smartphones. All users therefore should not rely on the official app stores for safety and implement advanced security protections that can protect laptops and smartphones. Even as cyberspace remains increasingly handy for everyone, the security concerns cannot be neglected, and as ransomware and Judy have shown, we cannot leave our internet security in the hands of the internet giants. We need to take meaningful steps to protect our internet security immediately.