[openasocket]

I work in the security space, and I would definitely consider this malware. Generally, any software used with a malicious purpose is considered malware. As an example, keyloggers generally aren't exploiting any vulnerability (though malware often uses a vulnerability to install the keylogger in the first place), they're using the standard functionality of the computer as intended, but with malicious intent, and so keyloggers are considered malware. It's not breaking out of the sandbox, but it turns out the sandbox is a pretty big place with a lot of room to do what it wants, so why bother trying to break out?

[problems]

Yeah, technically I can see it as malware, but not really in the same way... keyloggers obviously harm the user in collecting data against them, there's no malicious intent against the user here. This is only a minor increase over the already quite nasty but common mobile advertising practices.

In fact, I'd argue the information harvesting most mobile ad networks do is much more harmful than this click fraud. Do we ban all of those as malware too? Most them don't mention that they send things like unique device identifiers, connected wifi networks or Google account information.

[wordupmaking]

This is not so much a matter of debate as of reading up.

https://en.wikipedia.org/wiki/Malware

> Some malware is used to generate money by click fraud, making it appear that the computer user has clicked an advertising link on a site, generating a payment from the advertiser. It was estimated in 2012 that about 60 to 70% of all active malware used some kind of click fraud, and 22% of all ad-clicks were fraudulent

If you want to coin a new term feel free, but malware means what it means and refers to malicious, not "more malicious than", not "malicious against the user" etc.

[problems]

Does this encompass malware that sends unique device identifiers to 3rd parties? Google account names? Or are those extremely common practices not considered malicious at all? In my opinion those are much more malicious actions. The only way to compare malicious with malicious is indeed relative. If one arguably malicious action is prohibited but another is not, you have to question the motivations. "More malicious than" common practice therefore seems like a very good question to ask.

[wordupmaking]

Yes, I absolutely agree that plenty of commonly practiced or even accepted things are malicious, too, at least with the way they're hand waved away ("to improve our service" and worse).

[wnevets]

>there's no malicious intent against the user here

Eating up their battery/resources running hidden code that pretends to be them is kinda malicious. I also count hidden bitcoin miners as malicious.

[cortesoft]

Isn't that all ads, then? I mean, as an end user, which is more harmful to you - downloading a bunch of ads and filling your screen with them, or downloading a bunch of ads and not displaying them?

You are going to use more battery and resources actually displaying the ads, not to mention the worse user experience. If I had to pick between the two, I would prefer 'download and don't display' over 'download and display'

[openasocket]

Ads don't have malicious intent (usually). You may not like them, but displaying ads doesn't cause you harm. You could argue "having to see ads is inconvenient, which is a kind of harm" but just because software is inconvenient or doesn't do exactly what you want doesn't mean it's malicious. In this case, what makes Judy malicious is that it is using your machine to defraud advertisers.

[problems]

It often takes my personal information, unique device identifiers etc and sends them over the internet without my consent. That causes harm. IMO, much more so than defrauding some advertisers.

[openasocket]

As I said in another comment, the term "malicious" is obviously open to interpretation, so yes, you could make the argument that that is malware. You just have to convince others of your argument.

I'm not really interested in having that argument here, since it's really off topic for this article.

[problems]

For sure, but any extra battery and resource consumption here would be extremely minor compared to a bitcoin miner. Many apps do various forms of push advertising and background reporting which does quite similar things, do you consider that to be malware too? Ultimately the only difference here is that this one abuses Google and their advertisers instead of the user, which seems to be an accepted and common advertising practice. In my opinion at least, it's not significantly different from those behaviors.

[yeukhon]

What if this is a self-modifying code? Now instead of clicking ad now DoDDS? Malicious is basically bad intent. This is an unauthorized activity so it is malicious.

[problems]

It's not self-modifying code, it's looking specifically for google.com frames, see the source in the link. This is hardly worse intent than any other mobile ad these days.

[openasocket]

> no malicious intent against the user

Lots of malware doesn't have malicious intent against the user. Like botnets for DDoS attacks. Those things generally don't have any noticeable impact on the user, aside from increased network usage, but do immense damage to their targets.

I agree it's different than typical malware. As for considering ad tracking malware, the term "malicious" is obviously open to interpretation, so yes, you could make the argument that that is malware. You'd just have to convince others this meets the criteria for maliciousness. I've certainly heard people say that DRM software is malware.

[__jal]

If you're using my cycles, bandwidth, memory, power, etc. without my permission, it is malware.

This is not really that different than the spam "debate" - I've heard people argue that spam is no big deal because the bulk of it is caught. Tell that to people who run mail servers (but only if you brought your earplugs).

I suppose that, because many people put up with so much surveillance, they have difficulty drawing a line. I find this one a simple line to draw, but if you feel the need to place it elsewhere, the best predicate tipping point is based on intent.

[problems]

> the best predicate tipping point is based on intent.

So, what of intent - are those people taking unique device identifiers, account names, installed package lists, etc not of a malicious intent with them? I'd say so. I'd say that intent is far more malicious than defrauding some advertisers.

[__jal]

And I'd agree with you - I also consider corporate surveillance as routinely practiced to be malevolent.

[rhizome]

Adjust your sense of "technically," the original malware was shit like Hotbar and Comet Cursor. Trying to change the topic to "everybody who tracks anything" isn't helpful.

[bobsam]

> keyloggers generally aren't exploiting any vulnerability

That's a very odd definition you have.

Rest assured, nobody is saying this kind of apps are acceptable. But calling them malware is not right when they technically don't use more than they been given access to (network + some cpu time)?

[openasocket]

Which part is odd? You can use standard APIs like GetAsyncKeyState() or various utilities for screen scraping and reading the paste buffer to make a key logger, no vulnerabilities required. We still consider such a thing malware of course. The point is exploiting vulnerabilities is not a necessary condition for something to be considered malware.

[yeukhon]

He's probably referring to injecting/deploying the keylogger in the first place. Either it came with a malicious software, via a system exploit, or someone installed it having physical access.

[openasocket]

Or, like in the case of Judy, people installed it willingly, because it was hidden inside a game. If a game or some sort of application people install on their machine had a key logger component, we'd consider that malware, and still no vulnerabilities needed, just basic social engineering.

[dafrankenstein2]

agree