Google has thrown more than 40 apps out of its Play store after it emerged they were quietly forcing Android users to click on ads. As the apps been downloaded as many as 36 million times, security researchers said it appeared to be the biggest ever case of ad fraud perpetrated via Google Play and probably the most successful malware in terms of installs from the official store.
Security firm Check Point revealed the campaign Thursday, claiming a South Korean company, Kiniwini, hid an illegitimate ad clicking function inside 41 apps, most of which were games. Google's Bouncer, a technology designed to keep such so-called "adware" out of its store, wasn't able to pick up on the feature as it was downloaded after installation.
Once the rogue code was added to the apps, they would secretly open webpages in the background, via software that imitated a PC browser. "Once the targeted website is launched, the malware uses the JavaScript code to locate and click on banners from the Google ads infrastructure," Check Point explained. The Korean company would then receive funds for every ad click. Check Point estimated the firm was making millions from the ad clicks, in the region of $300,000 per month.
Check Point also noted that various Kiniwini apps would display "a large amount of advertisements, which in some cases leave users with no option but clicking on the ad itself." And it claimed the oldest version of the malware, which it dubbed "Judy", dated from April 2016, indicating it avoided detection for at least a year.
Check Point claims adware was hidden by South Korean developers inside more than 40 Android apps.
Check PointKiniwini, which also goes by the name ENISTUDIO corp, did not return requests for comment. A post from May 21st on the company's website recognized Google's action to remove the apps. It does not address the allegations made by Check Point or the reason behind the apps' disappearance from Google Play.
Google had not returned a request for comment at the time of publication.
Growing Android fraud problem
According to Android security expert Sergio de los Santos, Judy was symptomatic of a wider problem with such ad fraud targeting Google's platform. "This clicking malware hides very well. They have been undetected for years now, and even now anti-virus products are still not detecting them," said de los Santos, a researcher with Telefonica's ElevenPaths Android security team.
"The reason is because they are not dangerous by themselves in Google Play, but when they are installed they download the payload. This is very tricky and makes all detection techniques fail. And, besides, the only permission they need is access to the internet... it's quite intelligent."
Just earlier this week, Russian security firm Group-IB said it helped law enforcement arrest the gang behind Cron, an Android malware that infected as many as 1 million devices. It would steal bank account logins and intercept authorization codes texted by the bank. Most victims were based in Russia.
As for Americans, the biggest Android malware is known as Marcher, according to the Russian firm. "This trojan was developed by a Russian speaking author in 2014. In the beginning it was used only by one cybercrime gang to attack Russian clients. Then it was advertised on the underground markets," said Dmitri Volkov, co-founder and head of intelligence at Group-IB. That development led to further adoption my other cybercriminals.
But according to Google data, infection numbers for Android devices remain low. In a recent report, it said that the end of 2016 just 0.05% of all Android devices that only downloaded from Google Play were infected with what it calls a "potentially harmful application" (PHA).
