It looks like the common component across the apps mentioned is in the "net.shinhwa21.jsylibrary" namespace.<p>I made a list of the apps with that namespace, preview here: <a href="https://mixrank.com/playstore/apps?expiration=2017-06-30&list.id=8ce2b11ce0&sharedby=scott%40deltaex.com&auth=5130e518573dd928" rel="nofollow">https://mixrank.com/playstore/apps?expiration=2017-06-30&lis...</a><p>This list is a few times bigger than the ones mentioned in the article (been crawling for a long time, and try to be complete). If there's any security folks here that want access to the APKs for research, I'm happy to share (scott at mixrank).
This isn't really malware in the traditional sense, it doesn't damage users of the app itself or harvest information from them, this is simply ad fraud, it only damages Google and its advertisers.<p>It seems to me like CheckPoint is fishing for internet points with this title.
<i>Upon clicking the ads, the malware author receives payment from the website developer, which pays for the illegitimate clicks and traffic.</i><p>Are they really certain of this, or could it just be the work of someone who wants to "poison the well" of Google's ad network data collection?<p>It somehow reminds me of <a href="https://news.ycombinator.com/item?id=10611594" rel="nofollow">https://news.ycombinator.com/item?id=10611594</a> (Would CheckPoint also consider that malware?)
I'm curious if anyone has a sense for how much they made from this? I just don't have a good sense for scale and dimensions of this.<p>If it went undetected for so long they must not have been at least somewhat conservative in their approach, so say 5mil DAU times 1 click a day at $0.25/click. So, million-ish dollars a day?
"Some of the apps we discovered resided on Google Play for several years, but all were recently updated. It is unclear how long the malicious code existed inside the apps, hence the actual spread of the malware remains unknown."<p>If these apps were indeed popular, I would imagine the historical APK's are available for the various versions on pirate sites. Simply performing a Google search for "Fashion Judy: Snow Queen style apk" shows downloads for different versions of it. This can give a better idea of the length of infection.
This is why no matter how much Google brags about its machine learning-powered anti-malware protection, it can't rely solely on it to defend Android users, because it's still a cat and mouse game with sophisticated attackers. They need to find a way to patch all devices in a timely manner.