Security Experts:

Connect with us

Hi, what are you looking for?


Mobile & Wireless

Judy Adware Infects Dozens of Google Play Apps

Dozens of Android applications distributed via the Google Play store have exposed up to 36.5 million users to an auto-clicking adware, Check Point security researchers reveal.

Dozens of Android applications distributed via the Google Play store have exposed up to 36.5 million users to an auto-clicking adware, Check Point security researchers reveal.

Dubbed Judy, the adware was initially discovered on 41 applications developed by a Korean company, some of which have been in the app marketplace for years. All of these programs were updated recently and had between 4.5 million and 18.5 million downloads when the security researchers found the malware.

In a second campaign, the same piece of adware was found within applications from other developers as well, also with a large number of total downloads, between 4 and 18 million (some apps had over 1 million downloads each). Potentially impacting over 36 million users to Judy, the two campaigns might have borrowed code from one another, the security researchers explain.

The malicious code managed to stay hidden in the Google Play store for a long time, as the oldest app in the second campaign was last updated in April 2016. All of the offending applications have been removed from the application storefront after Google was notified on the issue.

The crooks behind these campaigns managed to bypass Google Play’s protection (known as Bouncer), by creating a seemingly benign bridgehead app that can establish connection to the victim’s device. After the user downloads it from Google Play, the app silently registers receivers to establish a connection with the command and control (C&C) server.

Once the connection has been established, the server delivers the malicious payload, which includes JavaScript code, a user-agent string and URLs controlled by the malware author. Even after infecting the device, the adware relies on communication with the C&C server to conduct its nefarious operations.

“The malware opens the URLs using the user agent that imitates a PC browser in a hidden webpage and receives a redirection to another website. Once the targeted website is launched, the malware uses the JavaScript code to locate and click on banners from the Google ads infrastructure,” Check Point explains.

The discovered malicious apps were developed by a Korean company named Kiniwini, which also develops apps for iOS and which is registered on Google Play as ENISTUDIO corp. Despite being created by a company, the offending apps engage into illicit activities by using victims’ mobile devices to generate fraudulent clicks and revenue for operators.

Furthermore, Judy was also found to display a large amount of advertisements, some of which “leave users with no option but clicking on the ad itself.”

Despite users noticing the nefarious behavior, most of the applications have positive ratings, but it’s not unusual for malicious apps to have high reputation, as cybercriminals can easily hide the app’s real purpose or manipulate users into leaving positive ratings. Examples of such behavior would include DressCode or the recently observed fake System Update app.

Related: Thousands of Android Devices Infected by Marcher Trojan

Related: Fake Netflix App Takes Control of Android Devices

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

South Dakota Gov. Kristi Noem says her personal cell phone was hacked and linked it to the release of documents by the January 6...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.

Mobile & Wireless

Chinese tech giant Huawei patched nearly 300 vulnerabilities in its HarmonyOS operating system in 2022.