‘Judy’ Android malware from Google Play reached up to 36m phones

Researchers have found over 40 Android apps on the Google Play store that contained malware that deliver fraudsters automated clicks on ads. 

According to Check Point, the malicious “Judy” apps have affected as many 36 million users who downloaded the apps from Google’s official store. 

Most of the apps were built by Kiniwini, a Korean mobile app maker registered on Google Play as “Enistudio corp”. The malicious apps had downloads of between four million and 18 million. The Judy apps are the latest to exploit Android phones to fraudulently boost clicks on ads. Some of the apps are filled with ads and some give users no other option but to click.  

Google removed the Judy apps after being notified by Check Point. The Judy apps featured a character called Judy in different themes, such as fashion, cooking, and animals. 

One of the apps from Enistudio, called “Judy’s Spa Salon”, was downloaded between 1 million and 5 million times. Many of the others were installed by fewer than 500,000 users. However, the malware was also inside more apps from other developers, two of which had downloads of up to 5 million.  

The malicious apps seek out banner ads from Google’s ad services and cause each infected device to click on ads. The apps connect to the attacker’s server which delivers JavaScript code, a user-agent string that imitates a PC browser, and a set of URLs. Once the website the attacker wants opened has loaded, the JavaScript code will locate the banner ads by searching for code with “google.com" in it and then clicks on the ads.  

According to Google, just 0.16 percent of all apps on the Play store are malicious. While Google does scan apps for malicious behavior before allowing them to be distributed on the store, it frequently removes apps detected as malicious by external security researchers. 

Earlier this year it removed several banking trojan apps that were more risky for users than the Judy adware. 


Check Point notes that Judy malware is similar to a previous ad fraud campaigns on Google Play, dubbed DressCode, which buried malicious behaviors in apps with a high reputation.  


Tags fraudmalwareAndroidcyber criminalsadwareGoogle Playmalicious apps

Show Comments