A few days ago, online forensic researchers at Check Point discovered one of the biggest spread of malware to have hit millions of Android users on Google Play.

A malware campaign called ‘Judy’ has reportedly engulfed a large part of Google Play Store and has infected somewhere between 8.5 million to 36.5 million users. Security research firm Check Point reported that it had discovered the malware, following which, it had alerted Google.

What is Judy?

The name ‘Judy’ comes from the app in which this malware was discovered. It’s a malware that automates false clicks on in-app pods to artificially bump up click-through revenues for app makers. A total of 41 apps having this malware code been detected so far by the researchers but the numbers could be significantly higher as it lay undetected for a prolonged period of time in Playstore. It was initially detected in ‘Judy the Chef’ (See image below) and after the red flag was raised, Playstore swiftly removed this app from the app store.

How do you know if Judy has affected your phone or not?

The best way to find out is to see whether you have any of these installed or not is by clicking here. There is no other tool. If you have any of these apps installed, your phone is most likely infected. You should format your phone ASAP.

It has been noted that this malware reached between 4.5 million to 18.5 million registered users on app store and some of the apps discovered check point resided on google play for several years. The campaign was last updated in April 2016 and apps in it had between 4million to 18 million downloads similar to FalseGuide and Skinner that were discovered earlier.

Who is behind Judy?

A Korean company called Kiniwini, that develops android and iOS apps seems to be behind the development and marketing of these malicious apps. It’s registered on Google Play as ENISTUDIO corp.

It is somewhat perplexing to find an actual organization behind these apps as usually they are shrouded in mystery. It is worth noting that the malicious activity conducted by the malware is not borderline advertising, but definitely an illegitimate use of the users’ mobile devices for generating fraudulent clicks and benefiting the attackers.

How does it ‘Judy’ malware work?

The name ‘Judy’ comes from the app in which this malware was discovered. It’s a malware that automates false clicks on in-app pods to artificially bump up click-through revenues for app makers. A total of 41 apps having this malware code been detected so far by the researchers but the numbers could be significantly higher as it lay undetected for a prolonged period of time in Playstore. It was initially detected in ‘Judy the Chef’ (See image below) and after the red flag was raised, Playstore swiftly removed this app from the app store.
1. Once a user downloads the malware app, it registers a receiver silently and establishes connection with Common and Control Server.

2. The server replies with the actual malicious payload, which includes JavaScript code, a user-agent string, and URLs controlled by the malware author.

3. The malware opens the URLs using the user agent that imitates a PC browser in a hidden webpage and receives a redirection to another website.

4. Once the targeted website is launched, the malware uses the JavaScript code to locate and click on banners from the Google ads infrastructure.

5. Upon clicking the ads, the malware author receives payment from the website developer, which pays for the illegitimate clicks and traffic.

6. The JavaScript code locates the targeted ads by searching for iframes which contain ads from Google ads infrastructure

What do you need to check before downloading an app?

1. Read all the permissions which application is asking for

2. Read all the user reviews

3. Read Privacy Policy of application

4. Also, Keep your system updated with security patches

Hopefully, with Google latest security measure like Play Protect that is announced in IO 2017 by Google will ensure faster malware detections. The protection was recently announced during its annual developer conference and is meant safeguard users from malicious and dangerous apps. Play Protect will be built into every device with Google Play and automatically takes action to keep users’ data and device safe. Google says that it scans more than 50 billion apps every day, and the new feature will detect and remove apps that might be harmful.

If you think you are attacked by a malware or want your apps to be screened for any potentially harmful codes, then get in touch with us. Our professional app testers and app developers will be able to check your app and cleanse it of any extra coding.

We create iconic apps that generate revenue and delight our clients. If you’re looking to develop a great iOS app or an android application, then please get in touch with us on marketing@knowarth.com.