Judy Android malware unleashes massive attack on Google Play Store

When it comes to apps for mobile devices, InfoSec experts will always recommend downloading from official vendors like the Google Play Store or the Apple App Store. While these sites are much more stringent in their standards for malicious app prevention, there are always exceptions (which require the consumer to use common sense). What is unusual, however, is for a massive amount of malicious applications to not only bypass the Play Store's Bouncer automated antivirus system, but to all result from one singular company.

Such is the case, however, with the malware dubbed "Judy." Discovered and reported on by security researchers at Check Point, Judy is an auto-clicking adware exclusively found on 41 apps created by the Korean company Kiniwini (ENSTUDIO in the Play Store). The way Judy works is by, in the words of the researchers, utilizing "infected devices to generate large amounts of fraudulent clicks on advertisements, generating revenues for the perpetrators behind it." This revenue was likely massive as Check Point estimated a minimum of 36.5 million total downloads of Judy-infected apps.

The actual process of attack was as follows.

  1. User downloads app.
  2. Judy registers receivers and creates a connection with a C&C (command and control) server.
  3. The server responds with the malicious payload.

The JavaScript portion of the payload is seen below:

Check Point

The company in question was rather dedicated to their scam, as many of the applications (as seen below) received high ratings and had a professional presentation.

Upon receiving the reports from Check Point, Google immediately began purging any trace of the applications from the Play Store. One may ask how these apps even found their way onto the Play Store in the first place? As I stated earlier, the vetting process of official app marketplaces is not foolproof. The blocking process may be able to recognize malicious code in the application's core processes, but as with Judy, the app does not become malicious until the user establishes connection via allowed permissions.

Let this be a lesson. While you are certainly better off downloading apps from the Play Store and App Store, you should be aware of how much access an app is requesting. If it seems too intrusive, don't download the application (you can probably live without it). Similarly once you've downloaded the app and it seems inundated with suspicious ads, delete that sucker as quickly as possible and perform a malware scan.

Photo credit: Flickr / Jan Persiel

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

Building Exchange 2019 from scratch: Setting up a domain controller

If you are building a new Exchange 2019 environment from scratch, you will have to…

3 hours ago

RAID 1 vs. RAID 5: When to use each level and why

Redundant array of independent disks (RAID) is the logical grouping of two or more disks…

22 hours ago

Microsoft 365 adds online scheduling to Microsoft Bookings app

Microsoft 365 users have access to an app called Microsoft Bookings. Before you dismiss it…

1 day ago

Biometrics authentication: Where the technology is now — and where it’s going

As cyberthreats rise in number and complexity, biometrics authentication technology has seen rapid adoption and…

4 days ago

Remote work vulnerabilities: Tips on avoiding a nightmare scenario

Remote work is likely to remain permanent — and so will the vulnerabilities it brings…

4 days ago

Microsoft Teams rolls out new video meetings features

Microsoft Teams is adding new features to help employees adjust to the new normal of…

5 days ago