Android app malware

According to IT security company Check Point, as many as 36 million Android devices may have been infected with ad-click malware. The malware, dubbed Judy, is reported to have been present in approximately 50 apps in Google’s play store, but the total number of infections cannot be accurately determined as it is not known for how long the apps have been malicious.

Those responsible generate money through ad-clicks – in this instance Judy silently imitated a browser and clicked on banners from Google’s ad infrastructure to generate revenue for the malware author. The malware has had little real impact upon the end user, though it does equate to an illegitimate use of a device, and could potentially be exploited for more sophisticated attacks, including: gaining control of devices for additional malware download, conducting DDoS attacks or gaining access to private networks.

Google’s protection system did not immediately identify the problem because the apps themselves did not contain any malicious code. Rather, once downloaded from the play store, the affected apps are designed to call out to a remote server which then delivers malicious ad-click software to devices.

This type of two-stage delivery is increasingly common. Last month, FalseGuide malware was discovered hidden inside apps and games on the play store. Following download, these compromised apps allow malicious actors to install additional malicious software. App stores may come under increased pressure to enhance their scrutiny of apps before permitting them to feature, particularly if the number of instances of adware infections increases.

The NCSC recommends that users only install apps from the official application store for your device. Malicious apps in official stores are more likely to be discovered, and subsequently removed from the store and the device.

RoughTed Malvertising Campaign

Threat researchers at internet security firm Malwarebytes have recently highlighted a significant malvertising campaign, called RoughTed, which has been running for over a year.

Malvertising (or ‘malicious advertising’) uses online advertising as a delivery method for malware. Malware-infected ads can be inserted into popular, legitimate websites, and often do not require user action to be effective: simply visiting an infected site can be enough to get infected.

Criminal use of malvertising as a vector for malware delivery has been an increasing trend since it was first observed in approximately 2007 with the exploitation of a vulnerability in Adobe Flash. In 2015 Google disabled more than 780 million ads that violated their policies, some of which carried malware, up from 524 million in 2014.

RoughTed is notable for its prolific distribution, with associated domains accumulating in excess of half a billion visits in a three month period. According to researchers, traffic diverted to RoughTed-related domains comes from thousands of different websites, some of which ranked in the electronic personal assistant, Alexa’s, top 500 websites. RoughTed can reportedly target a wide array of users according to their operating system, browser and geolocation before delivering a variety of payloads, including exploit kits and malware. Moreover, RoughTed has been circumventing adblockers, broadening the pool of potential victims.


.author-name { display: none; }