Judy Doesn’t Love You – Judy Malware has a sweet name but may have infected 36 million users

Pierluigi Paganini May 31, 2017

Experts found a new malware, dubbed Judy malware, in the Play Store, it is designed to infect Android devices and generate false clicks on advertisements.

Google is suffering once again from malicious software applications found inside popular apps available on Play store. The new malware – code named “Judy” – is designed to infect Android devices and generate false clicks on advertisements. According to Checkpoint Software, which discovered Judy, the payoff for the malware developers is to generate revenue on the false advertising clicks.

The new malicious app bypassed Google checks and may have been inside 41 popular games on the Play store for years, infecting as many as 36 million users.

“Check Point researchers discovered another widespread malware campaign on Google Play, Google’s official app store. The malware, dubbed “Judy”, is an auto-clicking adware which was found on 41 apps developed by a Korean company. ” states the analysis published by CheckPoint. “The malicious apps reached an astonishing spread between 4.5 million and 18.5 million downloads. ” “We also found several apps containing the malware, which were developed by other developers on Google Play.” “These apps also had a large amount of downloads between 4 and 18 million, meaning the total spread of the malware may have reached between 8.5 and 36.5 million users.”

The tainted software packages containing the malware were developed by a Korean company and have all been pulled from the Google Play Store. Several other vendor packages have also been pulled that reportedly contained the same malware code. However, it is not clear if these apps were intentionally designed with the Judy malware or simply suffered the same fate because of shared code.

judy Malware Android

The disclosure comes on the heels of two similar malware programs, “Falseguide” and “Skinner” which bypassed Google’s safety and check system. All the malware designs appear to be similar in that they used communications links with a Command and Control server for operation. Once the link was established, the Command Server would then download the malicious software on the unsuspecting user.

The malware developers first would design and upload a bait program to the Google Play Store. Most of the bait apps used by Judy appear to be games or simulated doll dress designs aimed at children. The bait programs would appear to be innocent to the user and pass the Google checking system since they contained no malicious code. The apps apparently look valid because they are designed to communicate with a specific URL for additional user game data such as updated dress designs for children’s dolls. Both the user and Google were unaware that the URL was actually a link to the malicious Command server.

One a user downloaded and started the app, the command server would infect the unknowing user with a silent and invisible web browser using JavaScript. The malware used the JavaScript code to locate and click on banners from Google ads once a targeted series of websites are launched inside the silent web browser. The silent browser would then simulate a computer by clicking on the paying advertisements and banners. Each infected user would then unknowingly be clicking thousands of times a day against advertisements. The fake clicks against the websites generated revenue for the malware developer cheating the paying advertisers.

One feature of Judy, however, was that some of the spammed ads also required the user to click on them in order to get the home screen functional again. While many of the apps were apparently popular, some of them received 4 and 5-star reviews, users often complained about the large number of ads that they were seeing. This tell-tale clue should have been a warning sign that the apps were doing more than simply dressing simulated dolls.

According to Checkpoint, the malware apps were all developed by a single Korean company named Kiniwini, registered on Google Play as ENISTUDIO corp.

“The company develops mobile apps for both Android and iOS platform,” states the Checkpoint bulletin.

“It is quite unusual to find an actual organization behind mobile malware, as most of them are developed by purely malicious actors. It is important to note that the activity conducted by the malware is not borderline advertising, but definitely an illegitimate use of the users’ mobile devices for generating fraudulent clicks, benefiting the attackers.”

Google has recently attempted to beef-up its Play Store, releasing new privacy and security guidelines to developers and increasing checks against potentially malevolent software apps. However, the use of a secondary communications system seems to bypass security checks since Google cannot see the hidden malware stored on a separate Command server during the upload and activation process for developers.

It is not unusual for app developers to utilize a communications link to specific URLs. Many games and user applications require a link in order to update common data, generate game revenue and add additional features. The design of using a malicious Command server to install functioning malware is something that previously had been reserved for intelligence agencies and criminal hacker organizations.

While, the abuse of millions of users to generate illegal income via hidden clicks on paying ads is not entirely new, there are darker possible designs that can target the individual users with more than just advertisements; stealing financial information, violating privacy, stalking and tracking. Both Google and Apple should take note of this new design that can bypass traditional upload and install security features of their store fronts.

Link to Checkpoint alert on Judy malware:

About the author: Charles R. Smith is CEO of Softwar Inc. a US based information warfare company and a former national security journalist.



[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Judy Malware, Android)

[adrotate banner=”13″]

you might also like

leave a comment