
The Judy Malware: Possibly the largest malware campaign found on Google Play - blaqkangel
http://blog.checkpoint.com/2017/05/25/judy-malware-possibly-largest-malware-campaign-found-google-play/
======
smilliken
It looks like the common component across the apps mentioned is in the
"net.shinhwa21.jsylibrary" namespace.

I made a list of the apps with that namespace, preview here:
[https://mixrank.com/playstore/apps?expiration=2017-06-30&lis...](https://mixrank.com/playstore/apps?expiration=2017-06-30&list.id=8ce2b11ce0&sharedby=scott%40deltaex.com&auth=5130e518573dd928)

This list is a few times bigger than the ones mentioned in the article (been
crawling for a long time, and try to be complete). If there's any security
folks here that want access to the APKs for research, I'm happy to share
(scott at mixrank).

~~~
tyingq
Nice work. Odd that you would be ahead of Google though. They pulled only the
apps mentioned in the article so far.

------
problems
This isn't really malware in the traditional sense, it doesn't damage users of
the app itself or harvest information from them, this is simply ad fraud, it
only damages Google and its advertisers.

It seems to me like CheckPoint is fishing for internet points with this title.

~~~
astrodust
It's malware in the traditional sense: "Programs that do things you wouldn't
expect or authorize them to do that are harmful either to yourself or to
others."

~~~
eternalban
I certainly didn't "expect" (nor ever authorize) my browser to maintain open
SSL connections to servers in googleplex sending them God knows what.

Does that mean Chrome is malware, too?

~~~
whatshisface
We'd probably be a lot further along if we all considered greasy hidden
behaviors just as bad as greasy hidden behaviors written by those who don't
pay taxes.

------
spcelzrd
There will always be bad actors, but I can't understand why Google tolerates
low level malware. At least make them work a little.

~~~
Cyph0n
This is the kind of malware that is difficult to block imo. As long as the
auto clicking is done at a suitable interval, there really is no easy way to
detect it.

The question is: would such an attack work on Apple devices? I'm assuming that
the iOS API provides similar functionality to apps running on the device.

~~~
openasocket
You don't need to detect it as it's going on, it should be a part of the
approval process for getting the app accepting into the Play store. Apps
should undergo regular static and dynamic analysis. And probably some
improvements to Bouncer

~~~
Cyph0n
Static analysis likely will not detect this type of malware as the malicious
payload is only retrieved once the app is running. As for dynamic analysis,
it's usually pretty easy to evade for a capable malware author. The only
surefire way to catch this is to have someone manually analyze the app.

~~~
openasocket
Dynamic analysis isn't perfect by any means, but I expect Google to at least
try, to get the low hanging fruit. As the OP said: "at least make them work a
little." Do we know if this malware had sandbox detection techniques?

~~~
NikolaeVarius
Why do you assume Google doesn't try?

~~~
openasocket
Technically, I said "I expect Google to at least try," which is just stating
my expectations rather than stating anything about whether Google met my
expectations ;)

But seriously, that's a fair point, my statement implied an unsourced
assumption. I think Google tries to some extent, but I can't find anything
saying Judy had anti-analysis capabilities, which makes me suspicious as to
the effectiveness of Google's dynamic analysis of Play Apps.

------
userbinator
_Upon clicking the ads, the malware author receives payment from the website
developer, which pays for the illegitimate clicks and traffic._

Are they really certain of this, or could it just be the work of someone who
wants to "poison the well" of Google's ad network data collection?

It somehow reminds me of
[https://news.ycombinator.com/item?id=10611594](https://news.ycombinator.com/item?id=10611594)
(Would CheckPoint also consider that malware?)

~~~
weeks
If the user isn't informed the app they installed is clicking on ads, it
absolutely is malware.

------
michaelbuckbee
I'm curious if anyone has a sense for how much they made from this? I just
don't have a good sense for scale and dimensions of this.

If it went undetected for so long they must not have been at least somewhat
conservative in their approach, so say 5mil DAU times 1 click a day at
$0.25/click. So, million-ish dollars a day?

~~~
UseofWeapons1
Per a Forbes article on the subject [0]

"Check Point estimated the firm was making millions from the ad clicks, in the
region of $300,000 per month."

I imagine your price per click is over-estimated by a couple orders of
magnitude, but that's just a guess.

[0]
[https://www.forbes.com/sites/thomasbrewster/2017/05/26/googl...](https://www.forbes.com/sites/thomasbrewster/2017/05/26/google-
shuts-down-massive-ad-fraud-on-play-store/#780741487807)

~~~
ChuckMcM
somewhere between $250K - $400K a month seems to be the thoughts of various
open sources on the matter. That would put it in the $3 - $5 million per year
at its peak. Assuming their play took a while to ramp up maybe $25 million
total?

Google makes more than $25B/year in revenue so even with a 30/70 payout (30
percent to the fraudsters) maybe .001% of Google's ad revenue?

And that is why people do this stuff. Other than getting booted off the store
nothing else will happen to these people who just made tens of millions of
dollars.

------
elliottcarlson
"Some of the apps we discovered resided on Google Play for several years, but
all were recently updated. It is unclear how long the malicious code existed
inside the apps, hence the actual spread of the malware remains unknown."

If these apps were indeed popular, I would imagine the historical APK's are
available for the various versions on pirate sites. Simply performing a Google
search for "Fashion Judy: Snow Queen style apk" shows downloads for different
versions of it. This can give a better idea of the length of infection.

------
mtgx
This is why no matter how much Google brags about its machine learning-powered
anti-malware protection, it can't rely solely on it to defend Android users,
because it's still a cat and mouse game with sophisticated attackers. They
need to find a way to patch all devices in a timely manner.

~~~
openasocket
This isn't really an issue with a vulnerability, AFAICT. The App is basically
just automatically clicking ads in the background. I'm not sure there's an
easy way to prevent this from happening at the end user level, except by
static and dynamic analysis on the part of Google to keep the Play store free
of malicious Apps.

~~~
ry_ry
It'd be obvious on the ads side though - If this was activated across multiple
apps simultaneously, their clickthrough rate would have gone through the roof.

Heck, even if it was dripped out slowly, average % clickthrough - even on
mobile where ads get fat fingered more often - is a tiny fraction of views.
They would have been reporting some pretty crazy numbers.

No way in the world this wasn't easily spotted, when clickfraud is already a
well known thing and Google are in the business of tracking things to sell
more ads.

------
samdung
Android is the new Windows. Expecting some downvotes. But truth must be told.
You're welcome.

~~~
problems
Not really the truth - Android apps are all sandboxed and have relatively
little access.

In fact the only thing this oh-so-evil malware did was generate fake Google Ad
clicks. Not really an offense against its users at all and it can be trivially
uninstalled. I certainly wouldn't compare that to ransomware, DDoS botnets,
search hijackers, etc that deeply nest themselves in your system and resist
uninstallation so much that reinstalling the OS is often the suggested
recovery option.

~~~
freeflight
>I certainly wouldn't compare that to ransomware, DDoS botnets, search
hijackers, etc that deeply nest themselves in your system and resist
uninstallation so much that reinstalling the OS is often the suggested
recovery option.

Lot's of adware can be equally sticky because it keeps on loading new crap on
the system if you just miss it in one place. Tbh the worst disaster system
I've seen usually involved adware, sure it's not a total data loss but I'd
guess it's far more widespread than ransomware.

And I'd consider any behavior, that's not approved by the user, as an offense
against the user. After all, this stuff is taking up resources that otherwise
wouldn't be used (traffic, memory, CPU cycles and as such battery)

I also consider having random ads pop up, with no way around them except
clicking them, pretty offensive behavior towards the user.

This stuff might, for now, be rather easy to uninstall but nobody can
guarantee that won't change in the future and infected phones end up in a
similar bad state like Windows systems with sticky adware infections.

~~~
problems
> Lot's of adware can be equally sticky because it keeps on loading new crap
> on the system if you just miss it in one place. Tbh the worst disaster
> system I've seen usually involved adware, sure it's not a total data loss
> but I'd guess it's far more widespread than ransomware.

Important to note that you're talking on Windows here. On Android it can't do
anything of the sort.

> And I'd consider any behavior, that's not approved by the user, as an
> offense against the user. After all, this stuff is taking up resources that
> otherwise wouldn't be used (traffic, memory, CPU cycles and as such battery)

Nasty advertising practices are already quite common in the mobile world,
compare with the apps that do push ads, notifications for in app purchases,
full screen ads that are hard to click off, etc.

> This stuff might, for now, be rather easy to uninstall but nobody can
> guarantee that won't change in the future and infected phones end up in a
> similar bad state like Windows systems with sticky adware infections.

Short of sandbox breakouts becoming rampant - which would surely get noticed
quickly - it can be guaranteed this will never become a concern on Android or
any similar platform.

