Judy Android Malware Targeted Google Play Store For A Year Potentially Infecting 36 Million Users
Be careful what you download from Google Play, as auto-clicking adware dubbed “Judy” is believed to have infected up to 36.5 million users. The apps have been deemed as malware, despite their overall high review ratings on Google Play.
Judy was found on forty-one apps developed by a Korean company Kiniwini, registered on Google Play as ENISTUDIO corp. Hackers developed bridgehead apps that, once downloaded, established a connection with their Command and Control server (C&C). The server replied with payload that included JavaScript code, a user-agent string and URLs that were controlled by the hackers.
The Check Point Mobile Research Team noted, "The malware opens the URLs using the user agent that imitates a PC browser in a hidden webpage and receives a redirection to another website. Once the targeted website is launched, the malware uses the JavaScript code to locate and click on banners from the Google ads infrastructure.”
Credit: Check Point Mobile
It is currently unclear how long the malware existed. According to the research team, the oldest app from the second campaign was released in April 2016. Several apps from other developers included code similar code to the Judy apps, however, it is unclear if this imitation was intentional. All of the Judy apps have since been removed from Google Play.
The Judy apps actual had a surprising number of positive reviews. One app, Chef Judy: Picnic Lunch Maker, averaged a 4.2 on Google Play with over 2,000 5-star reviews. Some users, however, sensed something was amiss and called out the hackers in their reviews.
It is important to note that most of the Judy apps were targeted at children. For a complete list of the Judy apps, head here.
Judy was found on forty-one apps developed by a Korean company Kiniwini, registered on Google Play as ENISTUDIO corp. Hackers developed bridgehead apps that, once downloaded, established a connection with their Command and Control server (C&C). The server replied with payload that included JavaScript code, a user-agent string and URLs that were controlled by the hackers.
The Check Point Mobile Research Team noted, "The malware opens the URLs using the user agent that imitates a PC browser in a hidden webpage and receives a redirection to another website. Once the targeted website is launched, the malware uses the JavaScript code to locate and click on banners from the Google ads infrastructure.”
Credit: Check Point Mobile
The hackers subsequently received payments from the web developers The fake clicks led to quite a decent payment for the hackers. Judy apps also display a large number of advertisements. The ads would often dominate the screen in such a way that the users would need to click on the ads to get rid of them.
It is currently unclear how long the malware existed. According to the research team, the oldest app from the second campaign was released in April 2016. Several apps from other developers included code similar code to the Judy apps, however, it is unclear if this imitation was intentional. All of the Judy apps have since been removed from Google Play.
Credit: Check Point Mobile
The Judy apps actual had a surprising number of positive reviews. One app, Chef Judy: Picnic Lunch Maker, averaged a 4.2 on Google Play with over 2,000 5-star reviews. Some users, however, sensed something was amiss and called out the hackers in their reviews.
It is important to note that most of the Judy apps were targeted at children. For a complete list of the Judy apps, head here.
