Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?


Mobile & Wireless

Judy Adware Infects Dozens of Google Play Apps

Dozens of Android applications distributed via the Google Play store have exposed up to 36.5 million users to an auto-clicking adware, Check Point security researchers reveal.

Dozens of Android applications distributed via the Google Play store have exposed up to 36.5 million users to an auto-clicking adware, Check Point security researchers reveal.

Dubbed Judy, the adware was initially discovered on 41 applications developed by a Korean company, some of which have been in the app marketplace for years. All of these programs were updated recently and had between 4.5 million and 18.5 million downloads when the security researchers found the malware.

In a second campaign, the same piece of adware was found within applications from other developers as well, also with a large number of total downloads, between 4 and 18 million (some apps had over 1 million downloads each). Potentially impacting over 36 million users to Judy, the two campaigns might have borrowed code from one another, the security researchers explain.

The malicious code managed to stay hidden in the Google Play store for a long time, as the oldest app in the second campaign was last updated in April 2016. All of the offending applications have been removed from the application storefront after Google was notified on the issue.

The crooks behind these campaigns managed to bypass Google Play’s protection (known as Bouncer), by creating a seemingly benign bridgehead app that can establish connection to the victim’s device. After the user downloads it from Google Play, the app silently registers receivers to establish a connection with the command and control (C&C) server.

Once the connection has been established, the server delivers the malicious payload, which includes JavaScript code, a user-agent string and URLs controlled by the malware author. Even after infecting the device, the adware relies on communication with the C&C server to conduct its nefarious operations.

“The malware opens the URLs using the user agent that imitates a PC browser in a hidden webpage and receives a redirection to another website. Once the targeted website is launched, the malware uses the JavaScript code to locate and click on banners from the Google ads infrastructure,” Check Point explains.

The discovered malicious apps were developed by a Korean company named Kiniwini, which also develops apps for iOS and which is registered on Google Play as ENISTUDIO corp. Despite being created by a company, the offending apps engage into illicit activities by using victims’ mobile devices to generate fraudulent clicks and revenue for operators.

Advertisement. Scroll to continue reading.

Furthermore, Judy was also found to display a large amount of advertisements, some of which “leave users with no option but clicking on the ad itself.”

Despite users noticing the nefarious behavior, most of the applications have positive ratings, but it’s not unusual for malicious apps to have high reputation, as cybercriminals can easily hide the app’s real purpose or manipulate users into leaving positive ratings. Examples of such behavior would include DressCode or the recently observed fake System Update app.

Related: Thousands of Android Devices Infected by Marcher Trojan

Related: Fake Netflix App Takes Control of Android Devices

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights