Skip to main content

Judy Android malware may have been hiding for a year

(Image credit: Image Credit: CyberHades / Flickr)

A hugely infectious new form of malware affecting Android apps has been discovered after reportedly infecting millions of devices worldwide. 

Security researchers from Check Point have warned that roughly 50 Android games have been found to contain a code which directs the infected device to a target website where they generate clicks on the site's ads, thus making money for its creator. 

All the games feature a character named Judy, and have been downloaded up to 36.5 million times, the firm said.

The majority of the infected apps come from a South Korean developer named Kiniwini, which publishes games on the Google Play Store under the name Enistudio. Between them, these apps have been downloaded between four million and 18 million times, meaning millions of devices could have been compromised across the world.

Similar code has been spotted in a couple of other games, too, but Check Point isn’t sure if someone just borrowed a piece of code, unaware of the malware hiding inside.

Check Point said it is not sure how long the apps have been staying in the Play Store, but they have been updated in March this year.

The oldest app was uploaded a year ago, and appear to have bypassed Google’s Bouncer system which supposedly tracks malicious code.

“To bypass Bouncer, Google Play’s protection, the hackers create a seemingly benign bridgehead app, meant to establish connection to the victim’s device, and insert it into the app store," Check Point wrote in a blog post describing the malware.

"Once a user downloads a malicious app, it silently registers receivers which establish a connection with the C&C server. The server replies with the actual malicious payload, which includes JavaScript code, a user-agent string and URLs controlled by the malware author. The malware opens the URLs using the user agent that imitates a PC browser in a hidden webpage and receives a redirection to another website. Once the targeted website is launched, the malware uses the JavaScript code to locate and click on banners from the Google ads infrastructure.”

Image Credit: CyberHades / Flickr