Security firm Check Point revealed the campaign Thursday, claiming a South Korean company, Kiniwini, hid an illegitimate ad clicking function inside 41 apps, most of which were games. Google's Bouncer, a technology designed to keep such so-called "adware" out of its store, wasn't able to pick up on the feature as it was downloaded after installation.
Check Point also noted that various Kiniwini apps would display "a large amount of advertisements, which in some cases leave users with no option but clicking on the ad itself." And it claimed the oldest version of the malware, which it dubbed "Judy", dated from April 2016, indicating it avoided detection for at least a year.
Kiniwini, which also goes by the name ENISTUDIO corp, did not return requests for comment. A post from May 21st on the company's website recognized Google's action to remove the apps. It does not address the allegations made by Check Point or the reason behind the apps' disappearance from Google Play.
Google had not returned a request for comment at the time of publication.
Growing Android fraud problem
According to Android security expert Sergio de los Santos, Judy was symptomatic of a wider problem with such ad fraud targeting Google's platform. "This clicking malware hides very well. They have been undetected for years now, and even now anti-virus products are still not detecting them," said de los Santos, a researcher with Telefonica's ElevenPaths Android security team.
"The reason is because they are not dangerous by themselves in Google Play, but when they are installed they download the payload. This is very tricky and makes all detection techniques fail. And, besides, the only permission they need is access to the internet... it's quite intelligent."
Just earlier this week, Russian security firm Group-IB said it helped law enforcement arrest the gang behind Cron, an Android malware that infected as many as 1 million devices. It would steal bank account logins and intercept authorization codes texted by the bank. Most victims were based in Russia.
As for Americans, the biggest Android malware is known as Marcher, according to the Russian firm. "This trojan was developed by a Russian speaking author in 2014. In the beginning it was used only by one cybercrime gang to attack Russian clients. Then it was advertised on the underground markets," said Dmitri Volkov, co-founder and head of intelligence at Group-IB. That development led to further adoption my other cybercriminals.
But according to Google data, infection numbers for Android devices remain low. In a recent report, it said that the end of 2016 just 0.05% of all Android devices that only downloaded from Google Play were infected with what it calls a "potentially harmful application" (PHA).