Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Threat Management, Threat Management, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Judy in Disguise: Mobile malware posing as Android apps downloaded up to 36.5M times


A pair of campaigns designed to spread ad fraud malware through supposedly innocuous Android applications generated between 8.5 million and 36.5 million downloads before Google removed the apps from its online store, Check Point Software Technologies has reported.

The malware, named "Judy" apparently because one of the apps was titled "Chef Judy: Picnic Lunch Maker," installs a malicious payload consisting of JavaScript code, a user-agent string and malicious URLs, Check Point explained in a blog post published last week. Upon installation, Judy secretly opens the URLs on a hidden website, and redirects the user to another web page that locates and clicks on ad banners, generating profits for the perpetrators. In some cases, the ads are so intrusive that users have no choice but to click on it.

Oddly, the first campaign involved a seemingly official Korean developer company called Kiniwini, which is registered on Google Play as ENISTUDIO corp. "It is quite unusual to find an actual organization behind mobile malware, as most of them are developed by purely malicious actors," Check Point noted in its post. Kiniwini created 41 apps that harbored the July malware, which collectively generated between 4.5 and 18 million downloads. Some of these apps existed for years, but they were all recently updated, suggesting that malicious code could have been recently added – but not necessarily.

The second campaign features apps created by a different developer, which may or may not have a connection with Kiniwini. These apps, the oldest of which was last updated in April 2016, were downloaded between 4 and 18 million times, according to Check Point, which alerted Google of the click fraud campaigns.

Check Point, which likened the campaign to one that recently spread FalseGuide malware, notes that the culprits were able to bypass Google Play's protections by hackers by creating a "seemingly benign bridgehead app, meant to establish connection to the victim's device, and insert[ing] it into the app store."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.