Security researchers at Checkpoint have discovered a new malware called ‘Judy’ which is now infecting millions of Android smartphones globally. According to them, this is possibly the largest malware campaign on Google Play Store that has already infected around 36.5 million Android devices.
What is Judy?
According to the blog post published by Checkpoint on Thursday, Judy is an adware that is used to generate fraudulent clicks on advertisements to gain revenue. It generates false clicks on affected devices and almost 41 apps are spreading this malware.
“The malware, dubbed “Judy”, is an auto-clicking adware which was found on 41 apps developed by a Korean company. The malware uses infected devices to generate large amounts of fraudulent clicks on advertisements, generating revenues for the perpetrators behind it.”
How widely has it spread?
According to the blogpost by Checkpoint, the malware is expected to be downloaded on around 18.5 million devices and up to 36.5 million devices can be affected by it. Some of these apps have been on the Google Play store for a long time.
Also, the researchers found few more apps containing the same malware in them, which were developed by other developers on Google Play. The connection between the two campaigns remains unclear, though researchers believe it is possible that one developer borrowed code from the other, “knowingly or unknowingly.”
How does the Malware work?
The fraudulent apps act as bridges to connect the user’s device to the adware server. Once the connection is established, the malware imitates itself as a PC browser to open a page and generate clicks.
“To bypass Bouncer, Google Play’s protection, the hackers create a seemingly benign bridgehead app, meant to establish a connection to the victim’s device, and insert it into the app store.”
Once a user downloads a malicious app, it silently registers user device to a remote command and control server, and in reply, it receives the actual malicious payload containing a JavaScript that starts the actual malicious process.
“The malware opens the URLs using the user agent that imitates a PC browser in a hidden webpage and receives a redirection to another website. Once the targeted website is launched, the malware uses the JavaScript code to locate and click on banners from the Google ads infrastructure,” the researchers say.
Upon clicking the ads, the malware author receives payment from the website developer, which pays for the illegitimate clicks and traffic.
Who is behind Judy?
“The malicious apps are all developed by a Korean company named Kiniwini, registered on Google Play as ENISTUDIO corp. The company develops mobile apps for both Android and iOS platforms. It is quite unusual to find an actual organization behind the mobile malware, as most of them are developed by purely malicious actors.”
How to ensure that you are safe?
After Check Point notified Google about this threat, Google has removed the malicious apps from the Play store and updated the Bouncer protection. But just to be sure, you can check the list of malicious apps published by the security research firm. And if you have any of these installed on your device, remove it immediately.
Earlier this month, a ransomware called WannaCry wrecked havoc across over 100 countries, hitting more than 200,000 computers in countries, including Russia and the UK. And now, this Judy malware has emerged in the world of Android smartphones. Seeing that the malware has even bypassed the Google Play’s protection, seems like users cannot even rely on the official app stores for their safety.