[Cyph0n]

Static analysis likely will not detect this type of malware as the malicious payload is only retrieved once the app is running. As for dynamic analysis, it's usually pretty easy to evade for a capable malware author. The only surefire way to catch this is to have someone manually analyze the app.

[openasocket]

Dynamic analysis isn't perfect by any means, but I expect Google to at least try, to get the low hanging fruit. As the OP said: "at least make them work a little." Do we know if this malware had sandbox detection techniques?

[NikolaeVarius]

Why do you assume Google doesn't try?

[openasocket]

Technically, I said "I expect Google to at least try," which is just stating my expectations rather than stating anything about whether Google met my expectations ;)

But seriously, that's a fair point, my statement implied an unsourced assumption. I think Google tries to some extent, but I can't find anything saying Judy had anti-analysis capabilities, which makes me suspicious as to the effectiveness of Google's dynamic analysis of Play Apps.