This is the kind of malware that is difficult to block imo. As long as the auto clicking is done at a suitable interval, there really is no easy way to detect it.
The question is: would such an attack work on Apple devices? I'm assuming that the iOS API provides similar functionality to apps running on the device.
You don't need to detect it as it's going on, it should be a part of the approval process for getting the app accepting into the Play store. Apps should undergo regular static and dynamic analysis. And probably some improvements to Bouncer
Static analysis likely will not detect this type of malware as the malicious payload is only retrieved once the app is running. As for dynamic analysis, it's usually pretty easy to evade for a capable malware author. The only surefire way to catch this is to have someone manually analyze the app.
Dynamic analysis isn't perfect by any means, but I expect Google to at least try, to get the low hanging fruit. As the OP said: "at least make them work a little." Do we know if this malware had sandbox detection techniques?
Technically, I said "I expect Google to at least try," which is just stating my expectations rather than stating anything about whether Google met my expectations ;)
But seriously, that's a fair point, my statement implied an unsourced assumption. I think Google tries to some extent, but I can't find anything saying Judy had anti-analysis capabilities, which makes me suspicious as to the effectiveness of Google's dynamic analysis of Play Apps.
The question is: would such an attack work on Apple devices? I'm assuming that the iOS API provides similar functionality to apps running on the device.