After WannaCry’s sizable impact on many Windows machines around the world, details have been revealed of a malware campaign targeting Android devices through the Google Play Store. The auto-clicking adware, named ‘Judy’, was discovered by the IT security firm, Check Point. It is estimated to have affected between 8.5 and 36.5 million users.

Check Point researchers discovered widespread malware campaign on Google Play, Google’s official app store. The malware, dubbed “Judy”, is an auto-clicking adware which was found on 41 apps developed by a Korean company. The malware uses infected devices to generate large amounts of fraudulent clicks on advertisements, generating revenues for the perpetrators behind it. The malicious apps reached an astonishing spread between 4.5 million and 18.5 million downloads. Some of the apps checkpoint has  discovered resided on Google Play for several years, but all were recently updated. It is unclear how long the malicious code existed inside the apps, hence the actual spread of the malware remains unknown.

All the malicious apps, developed by Korea-based Kiniwini and published under the moniker ENISTUDIO Corp, contained an adware program, dubbed Judy, that is being used to generate fraudulent clicks to generate revenue from advertisements.

Check Point explained the working of Judy:

To bypass Bouncer, Google Play’s protection, the hackers create a seemingly benign bridgehead app, meant to establish connection to the victim’s device, and insert it into the app store. Once a user downloads a malicious app, it silently registers receivers which establish a connection with the C&C server. The server replies with the actual malicious payload.

The malware, then, uses [the] infected devices to generate large amounts of fraudulent clicks on advertisements, generating revenues for the perpetrators behind it.”

Check Point likens Judy to two previous exploits: FalseGuide and Skinner. And like another bug, DressCode, Judy hid behind good reviews. “Hackers can hide their apps’ real intentions or even manipulate users into leaving positive ratings, in some cases unknowingly. Users cannot rely on the official app stores for their safety, and should implement advanced security protections capable of detecting and blocking zero-day mobile malware,” Check Point says.

While now removed by Google, the apps were downloaded between 4.5 million and 18.5 million times before being taken down. All of these apps were updated recently, making it difficult for the security company to calculate Judy’s exact impact and reach. It is also tricky to determine exactly when the malicious code was injected into the apps. The company makes apps for iOS as well as Android. However, Judy’s impact appears to be limited to only Android devices.

Android is notorious for leaving a majority of devices hanging when it comes to security updates and while Google is taking steps to improve security on Android devices, and on its Google Play Store, there’s clearly room for further improvement.

Here’s a list of malicious apps developed by Kiniwini and if you have any of these installed on your device, remove it immediately:

  • Fashion Judy: Snow Queen style
  • Animal Judy: Persian cat care
  • Fashion Judy: Pretty rapper
  • Fashion Judy: Teacher style
  • Animal Judy: Dragon care
  • Chef Judy: Halloween Cookies
  • Fashion Judy: Wedding Party
  • Animal Judy: Teddy Bear care
  • Fashion Judy: Bunny Girl Style
  • Fashion Judy: Frozen Princess
  • Chef Judy: Triangular Kimbap
  • Chef Judy: Udong Maker – Cook
  • Fashion Judy: Uniform style
  • Animal Judy: Rabbit care
  • Fashion Judy: Vampire style
  • Animal Judy: Nine-Tailed Fox
  • Chef Judy: Jelly Maker – Cook
  • Chef Judy: Chicken Maker
  • Animal Judy: Sea otter care
  • Animal Judy: Elephant care
  • Judy’s Happy House
  • Chef Judy: Hotdog Maker – Cook
  • Chef Judy: Birthday Food Maker
  • Fashion Judy: Wedding day
  • Fashion Judy: Waitress style
  • Chef Judy: Character Lunch
  • Chef Judy: Picnic Lunch Maker
  • Animal Judy: Rudolph care
  • Judy’s Hospital: Pediatrics
  • Fashion Judy: Country style
  • Animal Judy: Feral Cat care
  • Fashion Judy: Twice Style
  • Fashion Judy: Myth Style
  • Animal Judy: Fennec Fox care
  • Animal Judy: Dog care
  • Fashion Judy: Couple Style
  • Animal Judy: Cat care
  • Fashion Judy: Halloween style
  • Fashion Judy: EXO Style
  • Chef Judy: Dalgona Maker
  • Chef Judy: ServiceStation Food
  • Judy’s Spa Salon

At least one of these apps was last updated on Play store in April last year, means the malicious apps were propagating for more than a year.

Users cannot rely on the official app stores for their safety” Check Point warned. Google did not immediately respond to a request for comment.Google has now removed all above-mentioned malicious apps from Play Store, but since Google Bouncer is not sufficient to keep bad apps out of the official store, you have to be very careful about downloading apps.

The Judy Android Malware: Possibly the largest malware campaign found on Google Play

Leave a Reply