View Feed
Gadget Geeks
Discuss all electronic gadgets - ask questions, doubts, troubleshooting tips et al. to fellow gadget geeks.
608 Members
Join this group to post and comment.
Kaustubh Katdare
Kaustubh Katdare • May 28, 2017

Possibly the largest Android malware ever, 'Judy' infects ~36 million phones and tabs

According to security research firm Check Point, a new malware nicknamed 'Judy' is affecting large number of Android devices all over the world. The malware generates fraudulent clicks on in-app advertisements resulting into large amount of illegal revenue for the publisher. The malware was found to be distributing with about 41 apps published on Google Play store. What's worse is that these apps are massively popular and have a reach of about 36 million phones globally.

Check Point further claims that some of these apps have been lying in the Play Store for a long time, and the publisher had recently updated all of them. But the spread of malware doesn't stop there. Check Point further observes that there are other app publishers who have published apps with Judy malware. These app developers could have borrowed the code from the original publisher either knowingly or unknowingly.

The Judy malware functions similar to the earlier malware like FalseGuide and Skinner. It receives communication from C&C aka Command and Control server operated by the malware author. Google was prompt to remove these apps from the Play Store after Check Point informed Google about these apps.

The way Judy operates is very interesting. First, the malware must bypass Google's security check so that it can be published on Play Store. The publishers therefore created a seemingly simple, benign app that bypasses Google's 'Bouncer' protection. Once the user installs the app, it then establishes a connection privately with the C&C server and downloads the malicious code. This code includes JavaScript, user agent string and URLs that are controlled by the publisher.


Once the malicious code is installed on the user's device, the JS code finds out the advertisements on the app and clicks on them. It does so by locating the iframe that embeds Google Adsense advertisements. Each click results into revenues for the publisher. Because of the huge reach of the infected apps, these fraudulent clicks have generated large amount of revenues for the publishers.

Check Point further mentions that all these malicious apps were published on Play Store by a Korean company called Kiniwini. They are registered on the Google Play Store as 'ENISTUDIO Corp.' The publishers went ahead a step and showed large number of advertisements on their app; which results into users clicking on the ads involuntarily. It's surprising that most of these infected apps have large number of positive ratings in the store. But as with the 'DressCode' app, it's now clear that an app with positive ratings need not necessarily be an app safe to use.

If you've installed the app on your phone, we strongly advise you to remove it as soon as possible. For details of the Judy malware, please head over to the official source link below.

Source: CheckPoint

Share this content on your social channels -