This list is a few times bigger than the ones mentioned in the article (been crawling for a long time, and try to be complete). If there's any security folks here that want access to the APKs for research, I'm happy to share (scott at mixrank).
Would you mind sharing the digests of the apps you discovered, only ten are visible and it looks like there are multiple steps to set up a mixrank account
This isn't really malware in the traditional sense, it doesn't damage users of the app itself or harvest information from them, this is simply ad fraud, it only damages Google and its advertisers.
It seems to me like CheckPoint is fishing for internet points with this title.
It's malware in the traditional sense: "Programs that do things you wouldn't expect or authorize them to do that are harmful either to yourself or to others."
We'd probably be a lot further along if we all considered greasy hidden behaviors just as bad as greasy hidden behaviors written by those who don't pay taxes.
I work in the security space, and I would definitely consider this malware. Generally, any software used with a malicious purpose is considered malware. As an example, keyloggers generally aren't exploiting any vulnerability (though malware often uses a vulnerability to install the keylogger in the first place), they're using the standard functionality of the computer as intended, but with malicious intent, and so keyloggers are considered malware. It's not breaking out of the sandbox, but it turns out the sandbox is a pretty big place with a lot of room to do what it wants, so why bother trying to break out?
Yeah, technically I can see it as malware, but not really in the same way... keyloggers obviously harm the user in collecting data against them, there's no malicious intent against the user here. This is only a minor increase over the already quite nasty but common mobile advertising practices.
In fact, I'd argue the information harvesting most mobile ad networks do is much more harmful than this click fraud. Do we ban all of those as malware too? Most them don't mention that they send things like unique device identifiers, connected wifi networks or Google account information.
> Some malware is used to generate money by click fraud, making it appear that the computer user has clicked an advertising link on a site, generating a payment from the advertiser. It was estimated in 2012 that about 60 to 70% of all active malware used some kind of click fraud, and 22% of all ad-clicks were fraudulent
If you want to coin a new term feel free, but malware means what it means and refers to malicious, not "more malicious than", not "malicious against the user" etc.
Does this encompass malware that sends unique device identifiers to 3rd parties? Google account names? Or are those extremely common practices not considered malicious at all? In my opinion those are much more malicious actions. The only way to compare malicious with malicious is indeed relative. If one arguably malicious action is prohibited but another is not, you have to question the motivations. "More malicious than" common practice therefore seems like a very good question to ask.
Yes, I absolutely agree that plenty of commonly practiced or even accepted things are malicious, too, at least with the way they're hand waved away ("to improve our service" and worse).
Isn't that all ads, then? I mean, as an end user, which is more harmful to you - downloading a bunch of ads and filling your screen with them, or downloading a bunch of ads and not displaying them?
You are going to use more battery and resources actually displaying the ads, not to mention the worse user experience. If I had to pick between the two, I would prefer 'download and don't display' over 'download and display'
Ads don't have malicious intent (usually). You may not like them, but displaying ads doesn't cause you harm. You could argue "having to see ads is inconvenient, which is a kind of harm" but just because software is inconvenient or doesn't do exactly what you want doesn't mean it's malicious. In this case, what makes Judy malicious is that it is using your machine to defraud advertisers.
It often takes my personal information, unique device identifiers etc and sends them over the internet without my consent. That causes harm. IMO, much more so than defrauding some advertisers.
As I said in another comment, the term "malicious" is obviously open to interpretation, so yes, you could make the argument that that is malware. You just have to convince others of your argument.
I'm not really interested in having that argument here, since it's really off topic for this article.
For sure, but any extra battery and resource consumption here would be extremely minor compared to a bitcoin miner. Many apps do various forms of push advertising and background reporting which does quite similar things, do you consider that to be malware too? Ultimately the only difference here is that this one abuses Google and their advertisers instead of the user, which seems to be an accepted and common advertising practice. In my opinion at least, it's not significantly different from those behaviors.
What if this is a self-modifying code? Now instead of clicking ad now DoDDS? Malicious is basically bad intent. This is an unauthorized activity so it is malicious.
It's not self-modifying code, it's looking specifically for google.com frames, see the source in the link. This is hardly worse intent than any other mobile ad these days.
Lots of malware doesn't have malicious intent against the user. Like botnets for DDoS attacks. Those things generally don't have any noticeable impact on the user, aside from increased network usage, but do immense damage to their targets.
I agree it's different than typical malware. As for considering ad tracking malware, the term "malicious" is obviously open to interpretation, so yes, you could make the argument that that is malware. You'd just have to convince others this meets the criteria for maliciousness. I've certainly heard people say that DRM software is malware.
If you're using my cycles, bandwidth, memory, power, etc. without my permission, it is malware.
This is not really that different than the spam "debate" - I've heard people argue that spam is no big deal because the bulk of it is caught. Tell that to people who run mail servers (but only if you brought your earplugs).
I suppose that, because many people put up with so much surveillance, they have difficulty drawing a line. I find this one a simple line to draw, but if you feel the need to place it elsewhere, the best predicate tipping point is based on intent.
> the best predicate tipping point is based on intent.
So, what of intent - are those people taking unique device identifiers, account names, installed package lists, etc not of a malicious intent with them? I'd say so. I'd say that intent is far more malicious than defrauding some advertisers.
Adjust your sense of "technically," the original malware was shit like Hotbar and Comet Cursor. Trying to change the topic to "everybody who tracks anything" isn't helpful.
> keyloggers generally aren't exploiting any vulnerability
That's a very odd definition you have.
Rest assured, nobody is saying this kind of apps are acceptable. But calling them malware is not right when they technically don't use more than they been given access to (network + some cpu time)?
Which part is odd? You can use standard APIs like GetAsyncKeyState() or various utilities for screen scraping and reading the paste buffer to make a key logger, no vulnerabilities required. We still consider such a thing malware of course. The point is exploiting vulnerabilities is not a necessary condition for something to be considered malware.
He's probably referring to injecting/deploying the keylogger in the first place. Either it came with a malicious software, via a system exploit, or someone installed it having physical access.
Or, like in the case of Judy, people installed it willingly, because it was hidden inside a game. If a game or some sort of application people install on their machine had a key logger component, we'd consider that malware, and still no vulnerabilities needed, just basic social engineering.
This is the kind of malware that is difficult to block imo. As long as the auto clicking is done at a suitable interval, there really is no easy way to detect it.
The question is: would such an attack work on Apple devices? I'm assuming that the iOS API provides similar functionality to apps running on the device.
You don't need to detect it as it's going on, it should be a part of the approval process for getting the app accepting into the Play store. Apps should undergo regular static and dynamic analysis. And probably some improvements to Bouncer
Static analysis likely will not detect this type of malware as the malicious payload is only retrieved once the app is running. As for dynamic analysis, it's usually pretty easy to evade for a capable malware author. The only surefire way to catch this is to have someone manually analyze the app.
Dynamic analysis isn't perfect by any means, but I expect Google to at least try, to get the low hanging fruit. As the OP said: "at least make them work a little." Do we know if this malware had sandbox detection techniques?
Technically, I said "I expect Google to at least try," which is just stating my expectations rather than stating anything about whether Google met my expectations ;)
But seriously, that's a fair point, my statement implied an unsourced assumption. I think Google tries to some extent, but I can't find anything saying Judy had anti-analysis capabilities, which makes me suspicious as to the effectiveness of Google's dynamic analysis of Play Apps.
But why not? This is not some complex exploit, just standard JavaScript.
I saw the same attitude after the xcode backdoor. "There is no reason to believe any personal data has been affected", well if apple didn't even knew this thing existed how could they possibly know if it was activly used??
Edit: according to reddit apple just pulled all apps made by these guys. Not a proof of anything but still something to consider
The simple reason is if they thought that App Review might catch their shenanigans then they might decide to not do it on iOS, because being caught means having their apps pulled. I'm not surprised that Apple pulled their apps anyway, it's what I'd expect of them since they've demonstrated a willingness to put adware in their apps, even if it was only on Android.
So basically, maybe they put the adware in the iOS apps, maybe they didn't, but we can't tell from the article. But one would think that if they did, the article might have mentioned that, because it's a much better story to say "malware in the iOS app store" than it is to say "malware in the Google Play store".
I don't understand your comment. Apple and Google have the same mostly-automatic approval process.
(You didnt think apple would manually inspect billions of apps and their updates? 2 weeks per app * 1 billion apps * 3 updates = 115 million man years)
Apple does not have an automatic approval process. They do a lot of automatic screening, because there's plenty that can be caught that way, but yes, every single app and update gets manual review by a human being.
And your math is very wrong. Very few apps update every 2 weeks, most of the apps on the app store probably haven't even been updated in the past few months, and there's not even close to a billion apps. In an interview back in January Phil Schiller said the App Store had 2.2 million apps.
I assume it takes one person 2 weeks to fully analyze an app (we are after all looking for well hidden malware, possibly downloaded from network after some use). Times 2.2 million apps. Times an average of 3 updates during its life time.
There are not enough apple employees to pull what you calim. Hence approval is semi automatic, just like Google.
You have no idea what you're talking about. Tell literally any third-party Apple developer that app review is automatic and you'll be laughed out of the room. Your math is way off.
don't agree with my math? Show me your own numbers.
I feel you are just hiding your head in the sand instead of doing the sensible thing which is to ask apple to analyze this companys apps and report to public whether app store was affected.
I don't need to show you my numbers, because it's literally public knowledge that Apple manually reviews all apps and updates, and every single third-party developer can confirm this. If your app is set up with any sort of analytics you can even see when the reviewer looks at your app!
I'm curious if anyone has a sense for how much they made from this? I just don't have a good sense for scale and dimensions of this.
If it went undetected for so long they must not have been at least somewhat conservative in their approach, so say 5mil DAU times 1 click a day at $0.25/click. So, million-ish dollars a day?
somewhere between $250K - $400K a month seems to be the thoughts of various open sources on the matter. That would put it in the $3 - $5 million per year at its peak. Assuming their play took a while to ramp up maybe $25 million total?
Google makes more than $25B/year in revenue so even with a 30/70 payout (30 percent to the fraudsters) maybe .001% of Google's ad revenue?
And that is why people do this stuff. Other than getting booted off the store nothing else will happen to these people who just made tens of millions of dollars.
"Some of the apps we discovered resided on Google Play for several years, but all were recently updated. It is unclear how long the malicious code existed inside the apps, hence the actual spread of the malware remains unknown."
If these apps were indeed popular, I would imagine the historical APK's are available for the various versions on pirate sites. Simply performing a Google search for "Fashion Judy: Snow Queen style apk" shows downloads for different versions of it. This can give a better idea of the length of infection.
This is why no matter how much Google brags about its machine learning-powered anti-malware protection, it can't rely solely on it to defend Android users, because it's still a cat and mouse game with sophisticated attackers. They need to find a way to patch all devices in a timely manner.
This isn't really an issue with a vulnerability, AFAICT. The App is basically just automatically clicking ads in the background. I'm not sure there's an easy way to prevent this from happening at the end user level, except by static and dynamic analysis on the part of Google to keep the Play store free of malicious Apps.
It'd be obvious on the ads side though - If this was activated across multiple apps simultaneously, their clickthrough rate would have gone through the roof.
Heck, even if it was dripped out slowly, average % clickthrough - even on mobile where ads get fat fingered more often - is a tiny fraction of views. They would have been reporting some pretty crazy numbers.
No way in the world this wasn't easily spotted, when clickfraud is already a well known thing and Google are in the business of tracking things to sell more ads.
Not really the truth - Android apps are all sandboxed and have relatively little access.
In fact the only thing this oh-so-evil malware did was generate fake Google Ad clicks. Not really an offense against its users at all and it can be trivially uninstalled. I certainly wouldn't compare that to ransomware, DDoS botnets, search hijackers, etc that deeply nest themselves in your system and resist uninstallation so much that reinstalling the OS is often the suggested recovery option.
>I certainly wouldn't compare that to ransomware, DDoS botnets, search hijackers, etc that deeply nest themselves in your system and resist uninstallation so much that reinstalling the OS is often the suggested recovery option.
Lot's of adware can be equally sticky because it keeps on loading new crap on the system if you just miss it in one place. Tbh the worst disaster system I've seen usually involved adware, sure it's not a total data loss but I'd guess it's far more widespread than ransomware.
And I'd consider any behavior, that's not approved by the user, as an offense against the user. After all, this stuff is taking up resources that otherwise wouldn't be used (traffic, memory, CPU cycles and as such battery)
I also consider having random ads pop up, with no way around them except clicking them, pretty offensive behavior towards the user.
This stuff might, for now, be rather easy to uninstall but nobody can guarantee that won't change in the future and infected phones end up in a similar bad state like Windows systems with sticky adware infections.
> Lot's of adware can be equally sticky because it keeps on loading new crap on the system if you just miss it in one place. Tbh the worst disaster system I've seen usually involved adware, sure it's not a total data loss but I'd guess it's far more widespread than ransomware.
Important to note that you're talking on Windows here. On Android it can't do anything of the sort.
> And I'd consider any behavior, that's not approved by the user, as an offense against the user. After all, this stuff is taking up resources that otherwise wouldn't be used (traffic, memory, CPU cycles and as such battery)
Nasty advertising practices are already quite common in the mobile world, compare with the apps that do push ads, notifications for in app purchases, full screen ads that are hard to click off, etc.
> This stuff might, for now, be rather easy to uninstall but nobody can guarantee that won't change in the future and infected phones end up in a similar bad state like Windows systems with sticky adware infections.
Short of sandbox breakouts becoming rampant - which would surely get noticed quickly - it can be guaranteed this will never become a concern on Android or any similar platform.
I heard of something with Apple, somebody was able to change the checksum or something to an Apple app before it was submitted to a store and all the ad revenue went to that person. It was on a podcast I heard a few month(s) ago.
There is no way either company can manually inspect billion+ apps plus their updates. So they are putting AI in charge which people seem to ba able to fool once in a while.
At Google IO they just announced Android has 2B active devices, which makes it easily the largest platform today, must larger than Windows ever was. If you remember the bad days of ILOVEYOU or SqlSlammer, I think Android is much safer. Or compare this Judy with WannaCry. Don't believe the hype. You're welcome.
They've done a little bit. Newer Android versions support setups where apps request permissions at runtime, instead of just having them all the time in the background.
But the permissions are still too wide. Things like giving apps access to all your contacts, as opposed to having the OS only provide one contact, after the user picks it from a list.
There's a tradeoff in usability. I do wish Google (or a phone vendor! add real value!) would let users choose fine-grained or coarse-grained security at the UI level, and let developers just use fine-grained permissions APIs.
Bad security: App requests all your contacts and shows you a list of people you can invite to play Candy Crush. The user clicks one, but the app already has access to all of them.
Good security: App requests a contact and the OS shows you a list of people you can invite to play Candy Crush. The user clicks one and the OS gives that contact info to the app.
The user experience is quite similar, but the security design is far better.
No, nothing can ever wash off the stank and damage done by Windows. When Android starts shutting down hospitals, holding companies for ransom, crippling foreign centrifuges then we can have this conversation. Until then we're just waiting for the next Windows armageddon.
Part of the issue is how lax attitudes are in mobile development when it comes to security. There are probably dozens of top apps out there that have insecure command and control type setups
I made a list of the apps with that namespace, preview here: https://mixrank.com/playstore/apps?expiration=2017-06-30&lis...
This list is a few times bigger than the ones mentioned in the article (been crawling for a long time, and try to be complete). If there's any security folks here that want access to the APKs for research, I'm happy to share (scott at mixrank).