• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

The U.S. House banned WhatsApp on government devices due to security concerns

 | 

Russia-linked APT28 use Signal chats to target Ukraine official with malware

 | 

China-linked APT Salt Typhoon targets Canadian Telecom companies

 | 

U.S. warns of incoming cyber threats following Iran airstrikes

 | 

McLaren Health Care data breach impacted over 743,000 people

 | 

American steel giant Nucor confirms data breach in May attack

 | 

The financial impact of Marks & Spencer and Co-op cyberattacks could reach £440M

 | 

Iran-Linked Threat Actors Cyber Fattah Leak Visitors and Athletes' Data from Saudi Games

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 50

 | 

Security Affairs newsletter Round 529 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Iran confirmed it shut down internet to protect the country against cyberattacks

 | 

Godfather Android trojan uses virtualization to hijack banking and crypto apps

 | 

Cloudflare blocked record-breaking 7.3 Tbps DDoS attack against a hosting provider

 | 

Linux flaws chain allows Root access across major distributions

 | 

A ransomware attack pushed the German napkin firm Fasana into insolvency

 | 

Researchers discovered the largest data breach ever, exposing 16 billion login credentials

 | 

China-linked group Salt Typhoon breached satellite firm Viasat

 | 

Iran experienced a near-total national internet blackout

 | 

Malicious Minecraft mods distributed by the Stargazers DaaS target Minecraft gamers

 | 

Healthcare services company Episource data breach impacts 5.4 Million people

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Cyber Crime
  • Malware
  • Mobile
  • Judy Doesn’t Love You – Judy Malware has a sweet name but may have infected 36 million users

Judy Doesn’t Love You – Judy Malware has a sweet name but may have infected 36 million users

Pierluigi Paganini May 31, 2017

Experts found a new malware, dubbed Judy malware, in the Play Store, it is designed to infect Android devices and generate false clicks on advertisements.

Google is suffering once again from malicious software applications found inside popular apps available on Play store. The new malware – code named “Judy” – is designed to infect Android devices and generate false clicks on advertisements. According to Checkpoint Software, which discovered Judy, the payoff for the malware developers is to generate revenue on the false advertising clicks.

The new malicious app bypassed Google checks and may have been inside 41 popular games on the Play store for years, infecting as many as 36 million users.

“Check Point researchers discovered another widespread malware campaign on Google Play, Google’s official app store. The malware, dubbed “Judy”, is an auto-clicking adware which was found on 41 apps developed by a Korean company. ” states the analysis published by CheckPoint. “The malicious apps reached an astonishing spread between 4.5 million and 18.5 million downloads. ” “We also found several apps containing the malware, which were developed by other developers on Google Play.” “These apps also had a large amount of downloads between 4 and 18 million, meaning the total spread of the malware may have reached between 8.5 and 36.5 million users.”

The tainted software packages containing the malware were developed by a Korean company and have all been pulled from the Google Play Store. Several other vendor packages have also been pulled that reportedly contained the same malware code. However, it is not clear if these apps were intentionally designed with the Judy malware or simply suffered the same fate because of shared code.

judy Malware Android

The disclosure comes on the heels of two similar malware programs, “Falseguide” and “Skinner” which bypassed Google’s safety and check system. All the malware designs appear to be similar in that they used communications links with a Command and Control server for operation. Once the link was established, the Command Server would then download the malicious software on the unsuspecting user.

The malware developers first would design and upload a bait program to the Google Play Store. Most of the bait apps used by Judy appear to be games or simulated doll dress designs aimed at children. The bait programs would appear to be innocent to the user and pass the Google checking system since they contained no malicious code. The apps apparently look valid because they are designed to communicate with a specific URL for additional user game data such as updated dress designs for children’s dolls. Both the user and Google were unaware that the URL was actually a link to the malicious Command server.

One a user downloaded and started the app, the command server would infect the unknowing user with a silent and invisible web browser using JavaScript. The malware used the JavaScript code to locate and click on banners from Google ads once a targeted series of websites are launched inside the silent web browser. The silent browser would then simulate a computer by clicking on the paying advertisements and banners. Each infected user would then unknowingly be clicking thousands of times a day against advertisements. The fake clicks against the websites generated revenue for the malware developer cheating the paying advertisers.

One feature of Judy, however, was that some of the spammed ads also required the user to click on them in order to get the home screen functional again. While many of the apps were apparently popular, some of them received 4 and 5-star reviews, users often complained about the large number of ads that they were seeing. This tell-tale clue should have been a warning sign that the apps were doing more than simply dressing simulated dolls.

According to Checkpoint, the malware apps were all developed by a single Korean company named Kiniwini, registered on Google Play as ENISTUDIO corp.

“The company develops mobile apps for both Android and iOS platform,” states the Checkpoint bulletin.

“It is quite unusual to find an actual organization behind mobile malware, as most of them are developed by purely malicious actors. It is important to note that the activity conducted by the malware is not borderline advertising, but definitely an illegitimate use of the users’ mobile devices for generating fraudulent clicks, benefiting the attackers.”

Google has recently attempted to beef-up its Play Store, releasing new privacy and security guidelines to developers and increasing checks against potentially malevolent software apps. However, the use of a secondary communications system seems to bypass security checks since Google cannot see the hidden malware stored on a separate Command server during the upload and activation process for developers.

It is not unusual for app developers to utilize a communications link to specific URLs. Many games and user applications require a link in order to update common data, generate game revenue and add additional features. The design of using a malicious Command server to install functioning malware is something that previously had been reserved for intelligence agencies and criminal hacker organizations.

While, the abuse of millions of users to generate illegal income via hidden clicks on paying ads is not entirely new, there are darker possible designs that can target the individual users with more than just advertisements; stealing financial information, violating privacy, stalking and tracking. Both Google and Apple should take note of this new design that can bypass traditional upload and install security features of their store fronts.

Link to Checkpoint alert on Judy malware:
http://blog.checkpoint.com/2017/05/25/judy-malware-possibly-largest-malware-campaign-found-google-play/

About the author: Charles R. Smith is CEO of Softwar Inc. a US based information warfare company and a former national security journalist.

 

 

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Judy Malware, Android)

[adrotate banner=”13″]


facebook linkedin twitter

Android malware Hacking Judy mobile

you might also like

Pierluigi Paganini June 24, 2025
The U.S. House banned WhatsApp on government devices due to security concerns
Read more
Pierluigi Paganini June 24, 2025
Russia-linked APT28 use Signal chats to target Ukraine official with malware
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    The U.S. House banned WhatsApp on government devices due to security concerns

    Mobile / June 24, 2025

    Russia-linked APT28 use Signal chats to target Ukraine official with malware

    APT / June 24, 2025

    China-linked APT Salt Typhoon targets Canadian Telecom companies

    APT / June 24, 2025

    U.S. warns of incoming cyber threats following Iran airstrikes

    Cyber warfare / June 24, 2025

    McLaren Health Care data breach impacted over 743,000 people

    Data Breach / June 23, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT