Google’s Play Store seems to have hosted apps containing the newly discovered Judy malware since April of 2016, according to a report from Check Point. The firm found a total of 41 apps from the same Korean company that contained the malware, as well as a few apps created by other entities that inexplicably had the malware in them. All of those apps have since been reported to Google and removed from Google Play, but at least one of the apps had last been updated in April of 2016, meaning that the bug has been lurking on the Play Store for over a year.
The malware itself is named Judy because of the series of games that it’s hidden in. The malware itself is rather simple in its execution. It begins with a phone home to a control server from an app that a user downloads from the Play Store. The action doesn’t actually happen inside the app code that’s in the Play Store, which helps to get the apps past the Bouncer protections. Once the app phones home, the control server sends in a JavaScript payload that starts the actual malicious process. It controls the phone beneath the surface, directing it to URLs in the control server, where it seeks out ads from Google, then gives them repeated anonymous clicks to generate ad revenue for the attacker.
The Korean company that put the Judy games on Google Play is known as Kiniwini, and is registered under the name ENISTUDIO corp. on Google Play’s developer listings. A cursory glance at the company’s website makes it seem like just another freemium mobile developer, with games on both iOS and Android. The otherwise unassuming Judy series checks all the normal mass-produced freemium game series boxes; fashion, animals, food, and the like, but contains malware that generates fradulent revenue by using an infected device without a user’s knowledge. The other apps that have the malware come from scattered developers, and most of the apps don’t even have English names, meaning that one would be hard-pressed to find them on most countries’ Play Stores. Along with the Judy series, the list of apps with English names includes Dog Music (Relax), Spring-It’s stylish, it’s sexy, and Crafting Guide for Minecraft. These apps don’t look malicious on the surface, and may even have millions of downloads and good reviews.
