The security firm Checkpoint on Thursday uncovered dozens of Android applications that infected users’ devices with malicious ad-click software. In at least one case, an app bearing the malware was available through the Google Play app store for more than a year.
While the actual extent of the malicious code’s spread is unknown, Checkpoint says it may have reached as many as 36.5 million users, making it potentially the most widely-spread malware yet found on Google Play. Google removed the apps after being notified by Checkpoint.
Get Data Sheet, Fortune’s technology newsletter.
The malicious apps primarily included a series of casual cooking and fashion games under the “Judy” brand, a name borrowed for the malware itself. The nefarious nature of the programs went unnoticed in large part, according to Checkpoint, because its malware payload was downloaded from a non-Google server after the programs were installed. The code would then use the infected phone to click on Google ads, generating fraudulent revenue for the attacker.
The infection may have spread even more widely than Checkpoint’s estimates, since not all of the extensive line of “Judy” apps are included on Checkpoint’s tally – it’s missing Fashion Judy: Magic Girl Style and Fashion Judy: Masquerade Style, among others. All installments of the series do appear to have been pulled from Google Play.
The “Judy” apps were published by an apparently Korean entity known as ENISTUDIO. However, iterations of the same attack were found on a handful of apps from other publishers.
This is not the first instance of a malware infestation making it through the screening process on Google Play, nor is it the most damaging – Checkpoint did not find any evidence, for instance, that “Judy” compromised data on infected phones. That Judy was able to hide on Google Play for so long highlights the tradeoffs of Android operating system, which is often seen as more open but less secure than Apple’s iOS.
