A recent report from security research firm Check Point has revealed that ‘Judy’ malware has infected up to 36.5 million Android devices worldwide. Judy is an auto-clicking adware found in 41 apps on the Google Play Store. All these apps were developed by a Korean company named Kiniwini, registered as ENISTUDIO corp. on Google Play store. This firm develops apps for Android as well as iOS platform.
According to Check Point “These apps had a large amount of downloads between 4 and 18 million, meaning the total spread of the malware may have reached between 8.5 and 36.5 million users.”
The security firm further added that “Some of the apps we discovered resided on Google Play for several years, but all were recently updated. It is unclear how long the malicious code existed inside the apps, hence the actual spread of the malware remains unknown.”
The report suggests that Judy malware was able to bypass Google Play’s protection tool, Bouncer, by creating seemingly bridgehead app which bypassed the security with a Control and Command server.
Once a user downloads a malicious app, it manages to set up a connection with the Control and Command server, which delivers the actual malicious payload. This includes the ‘JavaScript code, a user-agent string and URLs controlled by the malware author.’
The malware opens the URLs using the user agent that imitates a PC browser in a hidden webpage which redirects to another website. Once the targeted website is launched, the malware uses JavaScript code to locate and click on banners from the Google ads infrastructure. Upon clicking the ads, the malware author receives payment from the website developer, which pays for the illegitimate clicks and traffic.