Judy is a type of Android auto-clicking adware discovered in 41 apps available in the Google Play store. Malicious actors use the devices infected with Judy to generate revenue via fraudulent clicks on advertisements. According to cybersecurity firm, Check Point, after the malicious app is installed, it communicates with the C2 server that then transmits the malicious payloads to the infected device, including JavaScript code, a user-agent string, and URLs controlled by the threat actor. Judy uses the user-agent string to open the URLs and is redirected to another website. Once the website loads, the JavaScript code is used to locate and click on banner ads; the threat actor is paid by the website developer for the illegitimate clicks and traffic. Additionally, the malicious apps display ads on the mobile device, often forcing users to click on the ad.

Judy appeared mainly in apps developed by Korean company Kiniwini, registered on Google Play as ENISTUDIO Corp; however, it was also found in apps from other developers on Google Play, a possible indication that the code was borrowed. Though it is unclear how long the malicious code existed inside the apps, one app hadn’t been updated since April 2016, remaining available for download in the Google Play store during this time. The total number of users who downloaded one of the malicious apps may be between 8.5 and 36.5 million. After Check Point notified Google of the malicious apps, they were removed from the Play store.

Technical Details

  • Check Point Software Technologies, LTD. provides a technical analysis of Judy here.