Here is adware that plays on your mobile

By Balamurugan Selvaraj Published on May 30, 2017 04:46 PM IST

Today, security has become a dear thing across the world. Recent KSN data states that India ranks in sixth place in mobile malware attacks among other countries. We have already reported about such flaws and malicious apps available on Google Play Store.

In addition to that, Checkpoint researchers discovered another malware campaign last week on Google Play. According to the security researchers, the malware, dubbed as ‘Judy’, has been spreading widely through Google Play Store.

Judy is an auto-clicking adware found on 41 apps developed by a Korean company named Kiniwini, registered on Google Play as ENISTUDIO corp.


Judy is similar to other adware. As soon as it infects the device, it will generate large amounts of fraudulent clicks on advertisements, which creates major revenue to the actor, who is behind the threat.

Researchers found that these malicious apps have successfully reached 4.5 million to 18.5 million downloads from Play Store. The most horrible thing stated in this research is that some of those malicious apps were in Google Play Store for several years with regular updates.

Also, it is unclear how long these malicious codes existed, hence, their actual spread remains unknown.

Besides these apps of the Korean developer, researchers discovered some malicious adware apps developed by other developers also.


"The connection between the two campaigns remains unclear, and it is possible that one borrowed code from the other, knowingly or unknowingly. The oldest app of the second campaign was last updated in April 2016, meaning the malicious code hid for a long time on Play Store undetected. These apps also had a large amount of downloads, between 4 and 18 million, meaning the total spread of the malware may have reached between 8.5 and 36.5 million users," the researchers wrote in a blog post.

Quite similar to FalseGuide and Skinner adware, which the researchers discovered earlier, Judy relies on the same communication with its command and control server (C&C) for its working. Researchers notified this vulnerability to Google Play and, as expected, they removed those malicious apps from the store.


To bypass the Bouncer, a security introduced in 2012 by Google to reduce the count of malicious apps in Play Store, actors created seemingly benign bridgehead app to establish connection to the victim’s device and insert it into the app store. Once a user downloads the malicious app, it quietly registers with an established connection with the C&C server.

The server replies with the actual malicious payload, which includes JavaScript code, a user-agent string and URLs controlled by the malware author. The malware opens the URLs using the user agent that imitates a PC browser in a hidden webpage and receives a redirection to another website. Once the targeted website is launched, the malware uses the JavaScript code to locate and click on banners from the Google ads infrastructure.

Depending upon the ad clicks, the actor will receive payment from the website developer, which pays for the illegitimate clicks and traffic.

In addition to the clicking activity, Judy displays a large amount of advertisements, which in some cases leave users with no option but clicking on the ad itself. Most apps have positive ratings, but some of the users have noticed and reported Judy’s suspicious activities in the comment section.


To protect yourself from these malicious apps, always read the description of the app completely. Also, avoid installing apps created by anonymous developers. To be precise, "Avoid installing apps which contain the tag line ‘may contain ads’ from the Google Play Store."