Technology
The malicious apps reached an astonishing spread between 4.5 million and 18.5 million downloads.
Updated : May 29, 2017, 12:32 PM IST
Almost 36.5 million Android devices have been affected with a new malware dubbed ‘Judy’. It has been found in 41 apps on the Google Play Store, and uses infected devices to generate fraudulent clicks on advertisements, generating revenues for the perpetrators behind it.
According to Check Point, some of the apps discovered resided on Google Play for several years, but all were recently updated. It is unclear how long the malicious code existed inside the apps, hence the actual spread of the malware remains unknown. The security firm also stated that the malicious apps reached an astonishing spread between 4.5 million and 18.5 million downloads.
Similar to previous malware which infiltrated Google Play, such as FalseGuide and Skinner, Judy reportedly relies on the communication with its Command and Control server (C&C) for its operation. After the firm alerted Google, the apps were removed from the Play store.
How does the Judy Malware work?
To bypass Bouncer, Google Play’s protection, the hackers create a seemingly benign bridgehead app, meant to establish connection to the victim’s device, and insert it into the app store. Once a user downloads a malicious app, it silently registers receivers which establish a connection with the C&C server. The server replies with the actual malicious payload, which includes JavaScript code, a user-agent string and URLs controlled by the malware author.
The malware opens the URLs using the user agent that imitates a PC browser in a hidden webpage and receives a redirection to another website. Once the targeted website is launched, the malware uses the JavaScript code to locate and click on banners from the Google ads infrastructure. Upon clicking the ads, the malware author receives payment from the website developer, which pays for the illegitimate clicks and traffic.
But, who is behind the Judy Malware?
CheckPoint stated that the malicious apps are all developed by a Korean company named Kiniwini, registered on Google Play as ENISTUDIO corp. The company develops mobile apps for both Android and iOS platforms. It is quite unusual to find an actual organization behind mobile malware, as most of them are developed by purely malicious actors. It is important to note that the activity conducted by the malware is not borderline advertising, but definitely an illegitimate use of the users’ mobile devices for generating fraudulent clicks, benefiting the attackers.
Mentioned below is the list of malicious apps released by Check Point:
Fashion Judy: Snow Queen style
Animal Judy: Persian cat care
Fashion Judy: Pretty rapper
Fashion Judy: Teacher style
Animal Judy: Dragon care
Chef Judy: Halloween Cookies
Fashion Judy: Wedding Party
Animal Judy: Teddy Bear care
Fashion Judy: Bunny Girl Style
Fashion Judy: Frozen Princess
Chef Judy: Triangular Kimbap
Chef Judy: Udong Maker – Cook
Fashion Judy: Uniform style
Animal Judy: Rabbit care
Fashion Judy: Vampire style
Animal Judy: Nine-Tailed Fox
Chef Judy: Jelly Maker – Cook
Chef Judy: Chicken Maker
Animal Judy: Sea otter care
Animal Judy: Elephant care
Judy’s Happy House
Chef Judy: Hotdog Maker – Cook
Chef Judy: Birthday Food Maker
Fashion Judy: Wedding day
Fashion Judy: Waitress style
Chef Judy: Character Lunch
Chef Judy: Picnic Lunch Maker
Animal Judy: Rudolph care
Judy’s Hospital: Pediatrics
Fashion Judy: Country style
Animal Judy: Feral Cat care
Fashion Judy: Twice Style
Fashion Judy: Myth Style
Animal Judy: Fennec Fox care
Animal Judy: Dog care
Fashion Judy: Couple Style
Animal Judy: Cat care
Fashion Judy: Halloween style
Fashion Judy: EXO Style
Chef Judy: Dalgona Maker
Chef Judy: ServiceStation Food
Judy’s Spa Salon