Many of the apps were highly rated and available to download for several years
Security researchers have discovered Android malware that may have infected up to 36.5 million users.
Dubbed ‘Judy’, the malware was found on over 40 apps, many of which were available to download from Google Play for “several years”.
CheckPoint, which spotted the malware, has described it as “possibly the largest malware campaign” found on the Play Store.
The researchers say Judy “uses infected devices to generate large amounts of fraudulent clicks on advertisements, generating revenues for the perpetrators behind it.”
41 of the infected apps are said to have been developed by a Korean company called Kiniwini, and registered on Google Play as ENISTUDIO corp.
These included cooking and fashion games, such as Chef Judy: Picnic Lunch Maker.
Unusually, many of the apps were rated highly by users, but this could be due to manipulation rather than a genuinely positive user experience.
“A high reputation does not necessarily indicate that the app is safe for use,” explains CheckPoint in a blog post.
“Hackers can hide their apps’ real intentions or even manipulate users into leaving positive ratings, in some cases unknowingly.”
The Judy malware was also found on several apps created by other developers.
“The connection between the two campaigns remains unclear, and it is possible that one borrowed code from the other, knowingly or unknowingly,” says CheckPoint.
Google has been notified about the malware, and has removed the infected apps from the Play Store.