Judy malware possibly infects up to 36.5 million Android users

by Jake Doevan - -

Check Point announces that Judy might be the largest malware campaign so far – up to 36.5 million Android devices have been potentially compromised. The malware, called Judy, produces false ad clicks and makes money for its creators.[1]

judy malware android

According to a security vendor Check Point, there were 41 infected applications in total. They were created by Kiniwini, a company based in Korea and distributed under the moniker ENISTUDIO Corp. The devices infected with the Judy malware start to produce high volume of false clicks on ads that generate revenue for cybercriminals.

Google deleted the malicious applications from the Google Play store after it was notified about their presence.[2] However, before that, Judy was installed from 4.5 million to 18.5 million times. Some of these apps appeared on Google Play for a few years and were recently updated.[3]

“It is unclear how long the malicious code existed inside the apps, hence the actual spread of the malware remains unknown”, Check Point reported. However, those numbers of installation mean that “the total spread of the malware may have reached between 8.5 and 36.5 million users”.[4]

The malware got Judy’s name because of the title character in the malicious Kiniwini applications.[5] For example, the illustration above demonstrates Chef Judy: Picnic Lunch Maker. There were other Judy variations available, such as “Animal Judy” or “Fashion Judy”.

So, how does Judy work? Attackers develop a harmless app that passes through Google’s Bouncer protection and appears on the app store.  

According to Check Point,

“Once a user downloads a malicious app, it silently registers receivers which establish a connection with the [Command and Control] server. The server replies with the actual malicious payload, which includes JavaScript code, a user-agent string and URLs controlled by the malware author. The malware opens the URLs using the user agent that imitates a PC browser in a hidden webpage and receives a redirection to another website. Once the targeted website is launched, the malware uses the JavaScript code to locate and click on banners from the Google ads infrastructure.”

Judy is compared to two prior exploits, including FalseGuide and Skinner. In addition, like another malicious app, DressCode, Judy had good consumer reviews. Check Point Security provider also adds that “hackers can hide their apps' real intentions or even manipulate users into leaving positive ratings, in some cases unknowingly. Users cannot rely on the official app stores for their safety, and should implement advanced security protections capable of detecting and blocking zero-day mobile malware”. 

The developer, Kiniwini, creates applications for Apple iOS and Android, but there are no issues with the iOS apps. The total number of 41 Judy apps are available in the App Store, and most of them were updated on March 31.


About the author

Jake Doevan
Jake Doevan - Computer security guru

Jake Doe is a security expert and news editor of Reviewedbypro.com. His major is Communication and Journalism, which he obtained from the Washington and Jefferson College.

Contact Jake Doevan
About the company Esolutions


now online
Like us on Facebook