Judy malware spreads to 36.5 million Android devices

Judy is the biggest malware outbreak caused by app downloads

A new strain of malware dubbed 'Judy' has infected up to 36.5 million Android users, security researchers have found.

The malware campaign was found spreading through apps available on Google Play, Google's official app store, according to a blog post by Check Point. 

Judy, the auto-clicking adware which was found on 41 apps, used infected devices to generate large amounts of fraudulent clicks on advertisements, generating revenues for the perpetrators behind it. Among the apps included are; Fashion Judy: Snow Queen Style; Fashion Judy: Vampire style; Chef Judy: Character Lunch; and Fashion Judy: Frozen Princess. 

Advertisement - Article continues below

South Korean firm Kiniwini developed more than 40 of the apps, and put them on Google's Play Store under the name Enistudio.

"Some of the apps we discovered resided on Google Play for several years, but all were recently updated. It is unclear how long the malicious code existed inside the apps, hence the actual spread of the malware remains unknown," said the researchers. 

The apps have since been removed by Google but questions have been raised over the detection methods the tech giant employs to prevent malware from entering its app store.

"To bypass 'Bouncer', Google Play's [anti-malware] protection, the hackers created a seemingly benign bridgehead app, meant to establish a connection to the victim's device, and insert it into the app store," said Check Point's advisory.

Advertisement - Article continues below

It explained: "Once a user downloads a malicious app, it silently registers receivers which establish a connection with the C&C server. The server replies with the actual malicious payload, which includes JavaScript code, a user-agent string and URLs controlled by the malware author.

Advertisement - Article continues below

"The malware opens the URLs using the user agent that imitates a PC browser in a hidden web page and receives a redirection to another website. Once the targeted website is launched, the malware uses the JavaScript code to locate and click on banners from the Google ads infrastructure." 

Clicking on ads results in the malware author getting paid by the website developer. 

"It is important to note that the activity conducted by the malware is not borderline advertising, but definitely an illegitimate use of the users' mobile devices for generating fraudulent clicks, benefiting the attackers," Check Point's researchers said.

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now



Evasive malware threats doubled in 2019

24 Mar 2020

10 quick tips to identifying phishing emails

16 Mar 2020
mergers and acquisitions

Panda Security to be acquired by WatchGuard

9 Mar 2020

Best free malware removal tools 2019

2 Mar 2020

Most Popular


Zoom kills Facebook integration after data transfer backlash

30 Mar 2020
Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020

These are the companies offering free software during the coronavirus crisis

25 Mar 2020
operating systems

17 Windows 10 problems - and how to fix them

26 Mar 2020