The new malware has been found in 41 apps on the Google Play Store, which uses infected devices to generate fraudulent clicks on advertisements.


Android Security is once again under scrutiny as a new malware, dubbed as ‘Judy’ is reported to have infected approximately 36.5 million smartphones. The new malware has been found in 41 apps on the Google Play Store, which uses infected devices to generate fraudulent clicks on advertisements.

The security firm CheckPoint has discovered the malware campaign on Google Play Store and has alerted Google as well. The search engine giant is currently working to remove these infected apps from its app store. The firm further states that the malicious apps reached an astonishing spread between 4.5 million and 18.5 million downloads. These kinds of apps include cooking and fashion games under the ‘Judy’ brand.

What is Judy Malware and how does it work?

According to the security firm, Judy is an auto-clicking adware, which creates false clicks on advertisements, and generates substantial revenue for the attackers.

The working of the malware is interesting. Firstly, you need to know that there is a Google Play’s protection tool known as Bouncer. The hackers created seemingly harmless apps, which bypassed the security, mainly because it not based on an app, but with a Control and Command server. Once the user downloads the malicious apps, the malware manages to connect to the server, which delivers the malicious payload.

The security firm says that the payload includes “JavaScript code, a user-agent string and URLs controlled by the malware author.” The malware then opens the URLs, which imitates the infected device as a PC browser and is used to launch the targeted website. Once that is done, the malware uses the JavaScript to locate and click on banners from the Google ads infrastructure.

So with every click, the hackers receive payment from the website developer, which pays for illegitimate clicks and traffic. Further, the JavaScript locates the targeted ads by searching of iframes which contain ads from Google ads infrastructure.

Who is behind Judy?

CheckPoint says the group behind this attack is known Kiniwini, which registered on Google Play as ENISTUDIO corp. The group belongs from South Korean, and the company develops freemium apps on both Android and iOS.

Since when it is present on the Google Play Store?

The firms note that the some of the apps that carried this malware was present on Google Play store of years. The oldest app, according to the CheckPoint, was last updated in April 2016, which means that the malicious code hid for a long time on the Play store undetected.

How many users are infected?

According to the security firm, “the malicious apps reached an astonishing spread between 4.5 million and 18.5 million downloads.” The total spread of the malware may have reached between 8.5 and 36.5 million users.

How to protect yourself from this malware?

First of all, before downloading any apps, try and read all the user reviews and check for any suspicious behaviour of the applications. Secondly, keep your system updated with the latest software and security patch. If possible, use VPN services, when connected to a public network and install an antivirus programme, which would be helpful.

Hopefully, with Google latest security measure like Play Protect, this kind of malware will be detected sooner than later. The protection was recently announced during its annual developer conference and is meant safeguard users from malicious and dangerous apps. Play Protect will be built into every device with Google Play and automatically takes action to keep users’ data and device safe. Google says that it scans more than 50 billion apps every day, and the new feature will detect and remove apps that might be harmful.