Security researchers have discovered a widespread malware campaign that has infected nearly 40 million Android devices through downloaded compromised apps from the official Google Play Store.

The attack — named Judy after a cartoon character featured in many of the malicious apps — uses auto-clicking adware housed in 41 apps, primarily from a Korean mobile developer to generate revenue for its creators.

Read: Android Malware: Cloak And Dagger Attack Can Secretly Record User Activity

First discovered by security researchers at Check Point, Judy already has infected upward of 36.5 million users who downloaded seemingly trustworthy apps and games from the Google Play Store.

The apps themselves were seemingly innocuous, but once installed on a device, would begin to communicate with a remote command-and-control server that would send a malicious payload.

That payload would direct the app to visit specific websites owned by the creator of the malware. Using a Javascript code sent from the remote server, the malware would locate and click on advertisements on the webpage, which would generate revenue for the malware author.

It’s unclear just how much money the malicious actors were able to generate using the scheme, but it’s believed the income was likely significant given how widespread the Judy malware was.

Read: FalseGuide Android Malware: More Than 600,000 Phones Turned Into Money-Generating Botnet

The attack bears resemblance to the FalseGuide attack that hit more than a half-million Android users earlier this year. Using apps disguised as guides for popular games, attackers delivered malicious payloads through a command-and-control server that turned Android devices into a botnet.

Some of the infected apps containing the Judy malware were on the Google Play Store for several years, including several that have received recent updates. Many came from a Korean firm named Kiniwini and were attributed in the Google Play Store to Enistudio Corp.

The apps from the Korean company were targeted toward younger users and feature a character named Judy, who starred in a number of the apps and games that had her performing tasks from cooking to taking care of pets.

Another batch of apps from an apparently unrelated developer uses the same malicious code but hasn’t been updated since April 2016, which suggests the attack went unnoticed right under Google’s nose for more than a year.

The apps have since been removed from the Google Play Store after Check Point alerted Google of their presence but the attack shows how vulnerable Android devices remain to attacks even when users don’t venture outside Google’s walls.

Kiniwini, the maker of many of the infected apps, acknowledged their titles had been removed from the Google Play Store in a statement on its website. “Recently, our game apps have been blocked on Google Play and the service has been stopped. Sorry for the inconvenience,” a translated version of the statement read.

The company notes users who already have the games installed can continue to play, and new titles featuring the character Judy will be released later this year.

RELATED STORIES
Software Malware Google