Malware analysis

Judy Malware: Millions of Android Devices Potentially Exposed

Pierluigi Paganini
June 5, 2017 by
Pierluigi Paganini

It has happened again; security experts have discovered a malicious application inside the official Google Play store. The new malware, dubbed "Judy," is designed to infect Android devices and generate false clicks on advertisements. According to malware researchers at Checkpoint Software, Judy malware was used by crooks to generate revenue on the false advertising clicks.

The new malicious app bypassed Google checks, and according to the experts, it may be present in 41 popular games deployed on the Play store for years if confirmed more than 36 million users may have been infected with Judy adware.

"Check Point researchers discovered another widespread malware campaign on Google Play, Google's official app store. The malware, dubbed "Judy," is an auto-clicking adware which was found on 41 apps developed by a Korean company. " states the analysis published by CheckPoint. "The malicious apps reached an astonishing spread between 4.5 million and 18.5 million downloads. We also found several apps containing the malware, which were developed by other developers on Google Play. These apps also had a large amount of downloads between 4 and 18 million, meaning the total spread of the malware may have reached between 8.5 and 36.5 million users."

The affected apps containing the malicious code were developed by a Korean company and had all been pulled from the Google Play Store. The experts also found other applications developed by other vendors into the Play Store that contained the same malware. It is not clear if these infected apps were intentionally designed with the Judy adware or simply were compromised because of sharing of portions of code.

"We also found several apps containing the malware, which were developed by other developers on Google Play. The connection between the two campaigns remains unclear, and it is possible that one borrowed code from the other, knowingly or unknowingly." reads the report published by CheckPoint security.

Figure 1 - Mobile app in the Google Play Store infected with Judy Adware

The researchers noticed similarities with other two malware apps, "Falseguide" and "Skinner," which bypassed Google's safety and check system. All the malicious apps designs appear to be similar in that they used communications links with a Command and Control server for operation. Once the link was established, the Command Server would then download the malicious software on the unsuspecting user.

How does the malicious app by pass Google checks?

The malware developers first would design and upload a baiting program to the Google Play Store; it appears to be games or simulated doll dress designs aimed at children. The bait applications can bypass the Google checking system since they contained no malicious code. The apps apparently look valid because they are designed to communicate with a specific URL for additional user game data such as updated dress designs for children's dolls. The URL is the address of the Command server from which the applications download the malicious payloads.

"To bypass Bouncer, Google Play's protection, the hackers create a seemingly benign bridgehead app, meant to establish a connection to the victim's device, and insert it into the app store. Once a user downloads a malicious app, it silently registers receivers which establish a connection with the C&C server. The server replies with the actual malicious payload, which includes JavaScript code, a user-agent string, and URLs controlled by the malware author." reads the experts.

One a user will start a malicious app; the command server would provide the malicious payload that infects the unknowing user with a silent and invisible web browser using JavaScript. The adware leverages the JavaScript code to locate and click on banners from Google ads once the user visits one of the websites for which it was designed. The silent browser would then simulate a user clicking on the paying ads and banners. Each infected user would then unknowingly be clicking thousands of times a day against advertisements generating revenue for the malware developer cheating the paying advertisers.

In addition to the clicking activity, Judy also displays a large amount of advertisements. In many cases the advertisements displayed by Judy oblige users to click on the ad to close it. This behavior was noticed by users that reported it in the feedback session of the app in the official store.

According to Checkpoint, the malware apps were all developed by a single Korean company named Kiniwini, registered on Google Play as ENISTUDIO corp.

"The company develops mobile apps for both Android and iOS platform," states the Checkpoint bulletin.

"It is quite unusual to find an actual organization behind mobile malware, as most of them are developed by purely malicious actors. It is important to note that the activity conducted by the malware is not borderline advertising, but definitely an illegitimate use of the users' mobile devices for generating fraudulent clicks, benefiting the attackers."

Google is aware of the techniques adopted by crooks to bypass its; it is releasing new privacy and security guidelines to developers and increasing checks against fraudulent activities. The use of a secondary communications system is still able to bypass security checks implemented by Google; the IT giant is not able to analyze malware stored on a separate Command server during the upload and activation process for developers.

It is not unusual for app developers to utilize a communications link to specific URLs. Many games and user applications require a link to update common data, generate game revenue and add additional features. The design of using a malicious Command server to install functioning malware is something that previously had been reserved for intelligence agencies and criminal hacker organizations.

Google is rolling out new measures to protect Android users

The efficiency of threats like the Judy malware is pushing IT giants to adopt new solutions to prevent their spreading.

Google has recently announced the deployment of another security defense system, called Google Play Protect, that was designed to protect the devices running Android mobile OS.

Google already uses several security measures to protect the mobile devices, Verify Apps and the Bouncer service are the most important defense measured implemented by the company. Unfortunately, once the apps are uploaded to the Play Store and installed on the user device, Google is not able to monitor the behavior of the apps and detect the malicious ones.

Figure 2 - Google Play Protect

Google Play Protect implements a machine learning and app usage analysis to identify any malicious activity on the mobile device.

The new system is integrated into the Google Play Store app; this means that its usage is transparent to the end user that doesn't need to install or enable it on his device.

"Google Play Protect continuously works to keep your device, data, and apps safe. It actively scans your device and is constantly improving to make sure you have the latest in mobile security. Your device is automatically scanned around the clock, so you can rest easy." reads the description published by Google.

Google Play Protect for implements the following features:

  • App scanning
  • Anti-Theft Measures
  • Browser Protection

The new protection service will be rolling out to all the Android mobile devices over the coming weeks.

The performance announced by Google are impressive, the app scanning is an always-on service on devices, it can scan 50 billion apps each day across a billion Android mobile devices to detect malicious applications.

The Google Play Protect also monitors mobile apps that have been installed by users from third-party stores, a circumstance that is very frequent. In many cases, Android users download mobile applications from unofficial stores, recently I bought a drone that allows the user to access the built-in camera through a mobile app that is available for download from a server located in China, and many other IoT devices are controlled by similar apps hosted in third-party stores.

The key components of the new service implemented by Google are the machine learning algorithms that compare app behavior and can identify any behavior that matches malicious patterns.

The machine learning system regularly updates to identify and mitigate new cyber threats, every time a malicious app is detected, the Google Play Protect service warns the user or even disables the app.

"With more than 50 billion apps scanned every day, our machine learning systems are always on the lookout for new risks, identifying potentially harmful apps and keeping them off your device or removing them. All Google Play apps go through a rigorous security analysis even before they're published on the Play Store—and Play Protect warns you about bad apps that are downloaded from other sources too." states a blog post published by Google. "Play Protect watches out for any app that might step out of line on your device, keeping you and every other Android user safe."

The news system implemented by Google also offers Anti-Theft Measures, the Android Device Manager has been replaced with Find My Device, that allows users to locate lost and misplaced devices. The new feature is available through user's browser or any other mobile device. The service also allows to wipe data on the lost device remotely.

Another interesting feature implemented by Google is the Safe Browsing feature in Chrome, the Google Play Protect protects users while browsing.

The feature will block malicious websites that were designed to deliver malicious code on the mobile devices.

Let me close with consideration, despite the effort of security firms and IT giants, it is important users will adopt best practices to protect their mobile devices, such as installing protection solutions and installing only the necessary applications.

Be careful to mobile phishing attacks that are becoming even more insidious.


Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

Pierluigi Paganini
Pierluigi Paganini

Pierluigi is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group, member of Cyber G7 Workgroup of the Italian Ministry of Foreign Affairs and International Cooperation, Professor and Director of the Master in Cyber Security at the Link Campus University. He is also a Security Evangelist, Security Analyst and Freelance Writer.

Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.

Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.