Judy malware campaign victimized as many as 36.5 million Android users

All roads lead to a single Korean company…

Judy malware campaign victimized as many as 36.5 million Android users

A malware campaign on Google Play has victimized as many as 36.5 million Android users with adware known as "Judy."

Researchers at Check Point discovered 41 apps laden with the auto-clicking adware on the Play Store. After receiving word from the researchers, Google removed the programs from its app marketplace. But that wasn't before the apps achieved between 4.5 million and 18.5 million downloads.

In total, the campaign could have affected as many as 36.5 million Android users over a period of at least a year. Similar to the DressCode campaign, many of the Judy-infected apps didn't have too bad of ratings, either, which no doubt contributed to their widespread distribution.

Just check out "Chef Judy: Picnic Lunch Maker", one of the Android apps that bore the malware scourge.

Chef Judy Picnic Lunch Maker

Check Point's research team explains how an infection works:

"To bypass Bouncer, Google Play’s protection, the hackers create a seemingly benign bridgehead app, meant to establish connection to the victim’s device, and insert it into the app store. Once a user downloads a malicious app, it silently registers receivers which establish a connection with the C&C server. The server replies with the actual malicious payload, which includes JavaScript code, a user-agent string and URLs controlled by the malware author. The malware opens the URLs using the user agent that imitates a PC browser in a hidden webpage and receives a redirection to another website. Once the targeted website is launched, the malware uses the JavaScript code to locate and click on banners from the Google ads infrastructure."

By clicking on the banners, the malware generated revenue for the authors.

Judy is similar to other malicious programs like FalseGuide in that it relies on a C&C server for its nefarious activities. But most of those campaigns are the brainchildren of malicious actors. By comparison, all of Judy's infected apps trace back to Kiniwini, a Korean company which registered on Google Play as ENISTUDIO corp.

As of this writing, the company still has a profile on Google's app marketplace.

Screen shot 2017 05 30 at 9.02.35 am

Android users should steer clear of any future apps developed by ENISTUDIO corp. They should also install a mobile anti-virus solution to help protect threats like Judy and read the reviews of an app before they install it.

User reviews don't always reveal suspicious app activity, but they can and oftentimes do.

Tags: , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , ,

One Response

  1. xplodwild

    May 31, 2017 at 2:00 pm #

    "They should also install a mobile anti-virus solution to help protect threats like Judy" : Nope, not at all. Anti-virus solutions wouldn't even detect such things, Google Play would uninstall them remotely before the AV even gets updated. And all that without wasting money, CPU, memory, bandwidth, and time.

Leave a Reply