Judy Malware infects 36.5 million Android smartphones: Find out if you are under threat!

Almost 36.5 million Android devices have been affected with a new malware dubbed ‘Judy’. It has been found in 41 apps on the Google Play Store, and uses infected devices to generate fraudulent clicks on advertisements, generating revenues for the perpetrators behind it.

According to Check Point, some of the apps discovered resided on Google Play for several years, but all were recently updated. It is unclear how long the malicious code existed inside the apps, hence the actual spread of the malware remains unknown. The security firm also stated that the malicious apps reached an astonishing spread between 4.5 million and 18.5 million downloads.

Similar to previous malware which infiltrated Google Play, such as FalseGuide and Skinner, Judy reportedly relies on the communication with its Command and Control server (C&C) for its operation. After the firm alerted Google, the apps were removed from the Play store.

How does the Judy Malware work?

To bypass Bouncer, Google Play’s protection, the hackers create a seemingly benign bridgehead app, meant to establish connection to the victim’s device, and insert it into the app store. Once a user downloads a malicious app, it silently registers receivers which establish a connection with the C&C server. The server replies with the actual malicious payload, which includes JavaScript code, a user-agent string and URLs controlled by the malware author.

The malware opens the URLs using the user agent that imitates a PC browser in a hidden webpage and receives a redirection to another website. Once the targeted website is launched, the malware uses the JavaScript code to locate and click on banners from the Google ads infrastructure. Upon clicking the ads, the malware author receives payment from the website developer, which pays for the illegitimate clicks and traffic.

But, who is behind the Judy Malware?

CheckPoint stated that the malicious apps are all developed by a Korean company named Kiniwini, registered on Google Play as ENISTUDIO corp. The company develops mobile apps for both Android and iOS platforms. It is quite unusual to find an actual organization behind mobile malware, as most of them are developed by purely malicious actors. It is important to note that the activity conducted by the malware is not borderline advertising, but definitely an illegitimate use of the users’ mobile devices for generating fraudulent clicks, benefiting the attackers.

Mentioned below is the list of malicious apps released by Check Point:

Fashion Judy: Snow Queen style

Animal Judy: Persian cat care

Fashion Judy: Pretty rapper

Fashion Judy: Teacher style

Animal Judy: Dragon care

Chef Judy: Halloween Cookies

Fashion Judy: Wedding Party

Animal Judy: Teddy Bear care

Fashion Judy: Bunny Girl Style

Fashion Judy: Frozen Princess

Chef Judy: Triangular Kimbap

Chef Judy: Udong Maker – Cook

Fashion Judy: Uniform style

Animal Judy: Rabbit care

Fashion Judy: Vampire style

Animal Judy: Nine-Tailed Fox

Chef Judy: Jelly Maker – Cook

Chef Judy: Chicken Maker

Animal Judy: Sea otter care

Animal Judy: Elephant care

Judy’s Happy House

Chef Judy: Hotdog Maker – Cook

Chef Judy: Birthday Food Maker

Fashion Judy: Wedding day

Fashion Judy: Waitress style

Chef Judy: Character Lunch

Chef Judy: Picnic Lunch Maker

Animal Judy: Rudolph care

Judy’s Hospital: Pediatrics

Fashion Judy: Country style

Animal Judy: Feral Cat care

Fashion Judy: Twice Style

Fashion Judy: Myth Style

Animal Judy: Fennec Fox care

Animal Judy: Dog care

Fashion Judy: Couple Style

Animal Judy: Cat care

Fashion Judy: Halloween style

Fashion Judy: EXO Style

Chef Judy: Dalgona Maker

Chef Judy: ServiceStation Food

Judy’s Spa Salon