Malicious Apps Brought Ad-Clicking 'Judy' Malware To Millions Of Android Phones

An anonymous reader quotes Fortune: The security firm Checkpoint on Thursday uncovered dozens of Android applications that infected users' devices with malicious ad-click software. In at least one case, an app bearing the malware was available through the Google Play app store for more than a year. While the actual extent of the malicious code's spread is unknown, Checkpoint says it may have reached as many as 36.5 million users, making it potentially the most widely-spread malware yet found on Google Play... The nefarious nature of the programs went unnoticed in large part, according to Checkpoint, because its malware payload was downloaded from a non-Google server after the programs were installed. The code would then use the infected phone to click on Google ads, generating fraudulent revenue for the attacker.

Android malware is profitable for Google and mfrs.

[Futurepower(R)]

Android malware causes Google and Android phone manufacturers and phone service providers to make more money. Most people don't have the time or technical ability to deal with issues, so they buy new phones.

Google arranged that Android cannot reliably be updated to its latest version. That pro-malware destructiveness is profitable.

Google needs better management. The company is rapidly getting a bad reputation, partly also because of tracking internet users. Why should Google know if I visit my bank account?

My opinions.

Re:

[slazzy]

I'm actually considering a BB for my next phone, might just be the best way to do Android.

Re:

[Jamu]

Google provides the updates/patches for *everyone*

Google updated my Nexus 7 for about 18 months. They stopped at the end of 2015.

Bad marketing for Google

[Futurepower(R)]

"It is then the carriers responsibility to get that sorted out..."

The problem for Google is that abuse by the carriers damages Google's reputation. Most people don't understand all the issues.

Companies should have enough control over their products that they can prevent their products from being used as an instrument of abuse by other companies.

Re:

[Ol Olsoc]

Companies should have enough control over their products that they can prevent their products from being used as an instrument of abuse by other companies.

When your business model is based on cheap, you can't expect the company to have amenities like updates. Expecting the KankPoo Android phone you bought at a flea market to get updates simply isn't realistic.

Re:

[TheFakeTimCook]

"It is then the carriers responsibility to get that sorted out..."

The problem for Google is that abuse by the carriers damages Google's reputation. Most people don't understand all the issues.

Companies should have enough control over their products that they can prevent their products from being used as an instrument of abuse by other companies.

Yup.

Apple did it, why can't others?

Perhaps because they don't give a shit about their customers?

Apple had its own methods.

[Futurepower(R)]

A long time ago, a friend I respected told me, "Love the Mac, hate Apple." Apple had its own methods of abuse.

Re:

[TheFakeTimCook]

A long time ago, a friend I respected told me, "Love the Mac, hate Apple." Apple had its own methods of abuse.

Name Three.

Re:

[Ol Olsoc]

The carriers take stock android and customise it to their requirements. It is then the carriers responsibility to get that sorted out update-wise.

Cheap. Remember cheap. With android's biggest draw being cheap, once that phone is out of most companies hands and into yours, they are done with you. Since cheap rules for Many-most android users, there isn't anyone on the company staff to do the required testing and rollout.

So like so many of my friends who laugh about my "Overpriced Apple shit", and their economical Android Phones, they get a new one every year because the old one is all screwed up. Meanwhile I'm on only my second iPhone.

Re:

[TheFakeTimCook]

The carriers take stock android and customise it to their requirements. It is then the carriers responsibility to get that sorted out update-wise.

Cheap. Remember cheap. With android's biggest draw being cheap, once that phone is out of most companies hands and into yours, they are done with you. Since cheap rules for Many-most android users, there isn't anyone on the company staff to do the required testing and rollout.

So like so many of my friends who laugh about my "Overpriced Apple shit", and their economical Android Phones, they get a new one every year because the old one is all screwed up. Meanwhile I'm on only my second iPhone.

Same here.

First iPhone was a 4s. Still works, but is "retired." Just stopped getting updates last September, at iOS 9.3.5.

Current phone is a 6 Plus. Will be 3 years old in a few months. Works fine. Gets current OS updates.

Re:Android malware is profitable for Google and mf

[The MAZZTer]

You do realize Google recently updated its Play Store developer EULA to ban apps that download and run binaries from non-Google Play Store locations, right? That will seal this hole. Sounds like Google is cracking down to me.

Re:

[TheFakeTimCook]

You can still side load... That's the huge difference...

Banning dropbox and all apps that depend on it because it opens their own website vs closing a security hole while leaving an out (hosting apk any where else)?

Yeah...

This again?!?

You've been able to Sideload, "legally", on iOS devices since iOS 8.

You don't even need a Mac to do it.

Re:

[stephanruby]

The app faked ad impressions and ad clicks. This is a flaw with their advertisement system, not with device security.

As a user, I only care that the apps I install do not take too much energy, do not take too many background CPU cycles, and do not take too much bandwidth. Aside from those three things, wich I can already monitor with Android, I couldn't care less if my apps fake ad clicks. If you ask me, the more fake data and the more fake ad clicks there are, the better it is for society as a whole.

Re:

[ArmoredDragon]

Google arranged that Android cannot reliably be updated to its latest version. That pro-malware destructiveness is profitable.

It seems to me that Google was using the (at the time) existing paradigm that OEMs are entirely responsible for providing updates, and carriers were entirely responsible for deploying it. Industry politics basically made this mandatory at the time, and they still do to a huge extent. Apple gets around this because they are vertically integrated. Microsoft promised to not have this problem, but because they aren't vertically integrated, they ultimately ran into the same problem (only for them it's even worse

Re:

[thegarbz]

Google needs better management.

What the fuck are you talking about? Every release of Android in the past 3 years has made steps towards fixing precisely what you're complaining about, and the final step will come with Android O which completely decouples the update process from the shitty other companies who you *should* be blaming for their shipping Android devices but not forwarding security updates.

"...past 3 years has made steps towards fixing..."

[Futurepower(R)]

"...past 3 years has made steps towards fixing..."

That doesn't fix the bad publicity.

If I were the CEO of Google, I would offer free, or almost free, Android updates to all cell service providers, very publicly. Any providers who didn't accept updates would then take that responsibility on themselves, publicly.

Re:

[thegarbz]

If I were the CEO of Google, I would offer free, or almost free, Android updates to all cell service providers

I'm sticking with WTF. They already DO offer them free. It is well known *publicly* that the problem isn't on Google's end.

It is not "well known publicly".

[Futurepower(R)]

You didn't understand the point. Google could make a very public announcement that would have the effect of helping people understand that cell service providers are being abusive. Google could, for example, make public the restrictions and modifications of each provider. At present it is very difficult to get that information.

meanwhile iPhone users...

[Anonymous Coward]

... don't have to worry about this kind of stuff, thanks to the Apple's walled garden App Store.

Re:

[tsa]

Every time I read about yet another Android malware I am reminded why I bought an iPhone. They're worth the price.

Use iOS

[Anonymous Coward]

It's just better

What's a malicious phone app?

[Frosty Piss]

Odd, I've never had these sorts of problems. My phone is an iPhone 5s...

Re:

[stephanruby]

http://fortune.com/2016/03/16/... [fortune.com]

Re:

[JaredOfEuropa]

From that article:

Additionally, for the malware to spread to an iOS device, users must have mistakenly installed a corrupted program on their Windows-powered PC to help manage their iOS device. Instead of helping a user backup their iPhone, however, the program covertly installs “malicious apps on any iOS device that is connected to the PC,” the report said.

Not exactly the same thing as being powned by a malicious app. Plus, Apple have taken measures to prevent this rather quickly. That's not to say that iPhones are 100% secure, but malware on iPhones is relatively rare, and malware causing widespread damage is even rarer.

Re:

[dwillden]

And malware on Android is relatively rare, and malware causing widespread damage is even rarer. Anyone thinking their platform choice is protecting them is an idiot.

Re:

[mnemotronic]

I've never had these sorts of problems. My phone is an iPhone 5s.

Sorry; dumb question: How do you know you've never had this problem? Maybe you have and just have not been aware of it.

Damn.

[mnemotronic]

Is Blowjob Judy : Gag Queen listed? Please NOOOOOOO....

Every time

[GrumpyNope]

I swear there is always a Minecraft guide app in these lists