PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

PCMag UK

'Judy' Malware Potentially Hits Up to 36.5M Android Devices

It's 'possibly the largest malware campaign found on Google Play,' according to Check Point.

Chloe Albanesius
 & Chloe Albanesius Executive Editor, News

Our team tests, rates, and reviews more than 1,500 products each year to help you make better buying decisions and get more from technology.

Our Expert
LOOK INSIDE PC LABS HOW WE TEST
65 EXPERTS
43 YEARS
41,500+ REVIEWS

Up to 36.5 million Android devices may have been infected by malware that produced fake ad clicks and lined the pockets of its developers.

SecurityWatchAs outlined by security firm Check Point, 41 apps developed by Korea-based Kiniwini and published under the moniker ENISTUDIO Corp., "infected devices to generate large amounts of fraudulent clicks on advertisements, generating revenues for the perpetrators behind it."

It's "possibly the largest malware campaign found on Google Play," according to Check Point.

Google "swiftly" removed the apps from Google Play after being alerted to their existence, Check Point says, but not before they "reached an astonishing spread between 4.5 million and 18.5 million downloads." Some were available on the store for several years and all were recently updated.

"It is unclear how long the malicious code existed inside the apps, hence the actual spread of the malware remains unknown," Check Point says, but those download numbers mean "the total spread of the malware may have reached between 8.5 and 36.5 million users."

Judy Malware

The malware was dubbed Judy by Check Point after the title character in Kiniwini's apps. Chef Judy: Picnic Lunch Maker, for example, encourages players to "create delicious food with Judy." But Judy-themed games ran the gamut, from "Animal Judy" and "Fashion Judy."

How does Judy infect your device? Hackers create an innocuous app that can get around Google's Bouncer security screening and is added to an app store.

"Once a user downloads a malicious app, it silently registers receivers which establish a connection with the [Command and Control] server," Check Point says. "The server replies with the actual malicious payload, which includes JavaScript code, a user-agent string and URLs controlled by the malware author. The malware opens the URLs using the user agent that imitates a PC browser in a hidden webpage and receives a redirection to another website. Once the targeted website is launched, the malware uses the JavaScript code to locate and click on banners from the Google ads infrastructure."

Check Point likens Judy to two previous exploits: FalseGuide and Skinner. And like another bug, DressCode, Judy hid behind good reviews. "Hackers can hide their apps' real intentions or even manipulate users into leaving positive ratings, in some cases unknowingly. Users cannot rely on the official app stores for their safety, and should implement advanced security protections capable of detecting and blocking zero-day mobile malware," Check Point says.

Kiniwini develops apps for iOS and Android, Check Point says, but it did not mention any problems with the iOS apps. As of Sunday afternoon, 45 ENISTUDIO Corp. Judy apps are available in the App Store, most of which appear to have last been updated on March 31.

About Our Expert

Chloe Albanesius

Chloe Albanesius

Executive Editor, News

My Experience

I started out covering tech policy in DC for The National Journal, where my beat included state-level tech news and all the congressional hearings and FCC meetings I could handle. I later covered Wall Street trading tech before switching gears to consumer tech. I now lead PCMag's news coverage.

My Areas of Expertise

Getting my start in DC means I still have a soft spot for tech policy; Congressional hearings can sometimes be as entertaining as a Bravo reality show, for better or worse. But PCMag is all about the technology we use every day, as well as keeping an eye out for the trends that will shape the industry in the years ahead (or flop on arrival). I've covered the rise of social media, the iOS vs. Android wars, the cord-cutting revolution that's now left us with hefty streaming bills, and the effort to stuff artificial intelligence into every product you could imagine. This job has taken me to CES in Vegas (one too many times), IFA in Berlin, and MWC in Barcelona. I also drove a Tesla 1,000 miles out west as part of our Best Mobile Networks project. Of late, my focus is on our hard-working team of reporters at PCMag, guiding and editing their robust coverage.

Read the latest from Chloe Albanesius

Read full bio