Android alert: This cutesy malware has infected millions of devices

Auto-clicking 'Judy' adware was distributed by over 40 apps in Google's official Android market.
Written by Danny Palmer, Senior Writer

It's unknown how long the adware campaign was operating before being uncovered.

Image: iStock

Security researchers have discovered a large malware campaign in the Google Play store.

Dubbed Judy -- because many of the malicious apps are games featuring a cutesy character of that name -- the autoclicking adware was found in 41 different apps created by a Korean mobile app developer, whose products have been downloaded by up to 18 million Android users. Some of the apps having been available for many years and are regularly updated.

Uncovered by cybersecurity researchers at Check Point Software, the malware uses devices to generate fraudulent clicks on adverts, generating income for those behind the scheme.

The malware was also discovered in several apps created by other developers on Google Play, some of which haven't been updated since April 2016. This suggests the malicious code was able to hide in the store undetected for over a year. The connection between the two campaigns is unknown, but it's possible one developer borrowed code from the other.

It's unclear how long the malicious code has existed within this second group of apps, but they have been downloaded by up to 18 million users.

This represents the latest instance of malicious codes sneaking malicious apps into the Play store, as part of Google's ongoing battle with Android malware.


An example of one of the malicious Judy apps in the Play Store

Image: Check Point

The Judy apps are able to bypass Google Play's Bouncer protection system by using similar techniques to other forms of malware which have successfully infiltrated the Android store -- such as FalseGuide and Skinner -- because the malicious code is hidden from view.

In this case, those behind Judy have created a benign bridgehead app which is seen in the app store. However, once the app has been downloaded by a user, Judy secretly establishes a connection with a command and control server, which replies with the malicious payload using JavaScript code, a user-agent string, and URLs controlled by the malware author.

Following installation, the payload will secretly use the JavaScript code to locate and click on banners from the Google ads, from which the malware author will receive payments. While there's no estimated figure for how much revenue has been made, researchers say it's likely to be a large amount, especially as the malware is widespread.

Many of the malicious apps are developed by a Korean firm named Kiniwini, whose products in the Play Store are registered under the name ENISTUDIO corp. They develop products for both Android and iOS and their games focus on a character called Judy doing various jobs ranging from cooking to pet care.

The researchers note that it's unusual to unearth the actors behind malicious apps, which in this case are hijacking users' devices to generate fraudulent clicks.

In addition to the fraudulent activity, the apps display a number of adverts which often leave users with no option but to click on them. Some users have commented on this as suspicious in negative reviews. However, the apps still enjoyed high user ratings -- a reminder that review scores can't always be trusted as apps can trick users into giving high scores.


Negative reviews noting suspicion of Judy apps in the Play Store.

Image: Check Point

Check Point has informed Google about the adware and the apps have now been removed from the store, although the millions who've already downloaded them are likely to remain unaware they're affected, due to the lack of any sort of recall facility for apps.

While Google keeps the vast majority of its 1.4 billion Android users safe from malware, malicious apps still get through.

Kiniwini has posted a statement on its website, which seems to refer to the games being removed from Google Play.
"Recently, our game apps have been blocked on Google Play and the service has been stopped," the company said.

Google had not responded to a request for comment at the time of publication.


Editorial standards