The mobile ad fraud malware "Judy" comes disguised as Google Play apps, many of which were developed by the Korean developer company Kiniwini.
The mobile ad fraud malware "Judy" comes disguised as Google Play apps, many of which were developed by the Korean developer company Kiniwini.

A pair of campaigns designed to spread ad fraud malware through supposedly innocuous Android applications generated between 8.5 million and 36.5 million downloads before Google removed the apps from its online store, Check Point Software Technologies has reported.

The malware, named "Judy" apparently because one of the apps was titled "Chef Judy: Picnic Lunch Maker," installs a malicious payload consisting of JavaScript code, a user-agent string and malicious URLs, Check Point explained in a blog post published last week. Upon installation, Judy secretly opens the URLs on a hidden website, and redirects the user to another web page that locates and clicks on ad banners, generating profits for the perpetrators. In some cases, the ads are so intrusive that users have no choice but to click on it.

Oddly, the first campaign involved a seemingly official Korean developer company called Kiniwini, which is registered on Google Play as ENISTUDIO corp. "It is quite unusual to find an actual organization behind mobile malware, as most of them are developed by purely malicious actors," Check Point noted in its post. Kiniwini created 41 apps that harbored the July malware, which collectively generated between 4.5 and 18 million downloads. Some of these apps existed for years, but they were all recently updated, suggesting that malicious code could have been recently added – but not necessarily.

The second campaign features apps created by a different developer, which may or may not have a connection with Kiniwini. These apps, the oldest of which was last updated in April 2016, were downloaded between 4 and 18 million times, according to Check Point, which alerted Google of the click fraud campaigns.

Check Point, which likened the campaign to one that recently spread FalseGuide malware, notes that the culprits were able to bypass Google Play's protections by hackers by creating a "seemingly benign bridgehead app, meant to establish connection to the victim's device, and insert[ing] it into the app store."