Ready to Start Your Career?

What You Should Know About the Judy Malware

Apurv Singh Gautam's profile image

By: Apurv Singh Gautam

August 16, 2017

A new widespread malware has been detected on the Google’s official Play Store. It has infected more than 36.5 million Android users. 41 apps developed by a Korean company named Kiniwini, registered on Google Play as ENISTUDIO Corp. have been found as infected.

The reason for the enormous spread: The malware has successfully bypassed the Google Play’s protection “Bouncer”.

Why was Judy undetected for over a year? The actual malicious payload is downloaded from an external non-google server only after the infected application has been installed on the device.

Google’s Action: On being alerted by Checkpoint, a security firm, Google play store has swiftly taken down all the concerned applications.

Where is JUDY?

  • The infected apps are present on the google play store under an array of casual cooking and fashion games under the “Judy” brand.
  • Several other apps developed by other developers are also found containing the malware. Reason being: borrowed code from the “Judy” line of games.

Basic Operation: Click Baits - The malware uses infected devices to generate large amounts of fraudulent clicks on advertisements to produce revenues for the malware’s author and other perpetrators.

How does JUDY work?

Judy is an auto-clicking adware. It relies on the communication with its Command and Control server (C&C) for its operation. Hackers create a bridgehead app and insert it into the app store. This app sought to establish a connection with the victim’s device.


  1. Malicious app downloaded by the user.
  2. App silently registers receivers on the infected device to establish connection with the C&C server.
  3. Server replies with the actual malicious information, including JavaScript code, a user-agent string and URLs controlled by the malware author.
  4. Malware then opens the URLs through the User Agent imitating a PC browser in a hidden webpage.
  5. Malware receives a redirection to the target website.
  6. On the Target website, the malware uses the JavaScript code to locate and click on ads.
  7. Upon clicking the ads, the malware author receives payment from the website developer, who pays for the illegitimate clicks.

JUDY’s Effect on the Android User: 

Up till now there has been no evidence of any data being compromised on the infected device. Also the malware only generates revenue on the website developer’s end, incurring no direct financial harm to the devices’ user.

Solution: If your device is infected it is advisable to backup all your essential data and format the device.

However the detection of this malware has raised serious questions on the security measures of the Android OS.

Schedule Demo