Google Play apps hit by Judy Malware

  • 4

It’s turning out to be a bad month for the digital world. While the world is recovering from the WannaCry Ransomware outbreak, we now have a new malware on the loose and it is targeting Android devices. The malware is called Judy and it has infected around 41 apps in the Google Play store. More about this follows.

What is Judy and how does it work?
Judy is an auto-clicking adware. After it infects a device, it opens up web pages where it generates fraudulent clicks on advertisements to make money for the malware’s creator. These clicks are generated in extensive amounts – more the clicks, more the money.

Google Play apps affected by Judy
About 41 apps developed by a Korean company called Kiniwini, seemed to have been spreading the Judy malware. The company is registered on Google Play as Enistudio corp.

How Quick Heal Mobile Security helps?
Quick Heal detects and blocks the Judy malware as Android.Ewind.AU

How to stay safe from threats such as Judy

1. Google has removed the reported apps from the Play store. So, we can hope that the threat is gone. But just to be on a safer side, avoid downloading any apps developed by Enistudio for now.

2. Install a reliable mobile security app like Quick Heal that scans apps in real-time to detect and block such threats.

3. It is important to check for user ratings and comments before installing any app. While you may get to see positive reviews, you might come across a few that may help you decide whether the app is worth installing or not.

4. As a rule of thumb, avoid installing apps from unofficial, third-party app stores.

Technical Analysis of Judy Malware

judy-1-1Fig 1

The Judy malware relies on the communication with its Command and Control server (C&C) for its operation. Once installed on the device, the malware connects with the server (fig 2). Once the connection is established, the server replies with the actual malicious payload. Fig 3 shows the code that the server sends in its reply to check if the app is installing on a device or an emulator. If it is on an emulator, the app does not get installed.

judy-2Fig 2. Connecting with the C&C server

judy-3Fig 3. Connecting for JSON response to check if the app is running on an emulator


1. Once installed, the infected app looks like any other ordinary app.

Fig 4

2. At the bottom of the app, there is an option called shop to purchase different items.

3. If the user clicks on the shop button, it shows multiple options to earn stars by purchasing or downloading apps, some of which are genuine (fig 6 & 7).

Fig 5. Options for downloading free stars

Fig 6

Fig 7

4. Selecting a Free Stars option shows a page which asks the user to download an app which will fetch them the free stars.

5. If the user downloads one of these apps, the screen displays that they will receive free stars. But, in the background, the app opens multiple advertising URLs before downloading the actual app, to generate the fraudulent clicks which we had discussed earlier. The user, however, remains aloof to all these activities (fig 8).

Fig 8

Subject Matter Expert
Anand Singh, Gajanan Sopan Khond | Quick Heal Security Labs


Quick Heal Security Labs

Quick Heal Security Labs

No Comments, Be The First!

Your email address will not be published.