Security firm Checkpoint reported that dozens of Android apps were infected with the so-called “Judy” malware. The malware was spread through in a seemingly-innocent way: it used fashion and cooking apps labeled under the “Judy” brand on the Google Play Store.
One “Judy” app had been freely available on the Google Play Store for over a year. According to Checkpoint estimates, more than 36.5 million users had been exposed to the malware.
Since the blockbuster report emerged online, Google has removed all instances of Judy apps from the app store.
36.5 million infections would make Judy one of the most widely-spread malware applications ever found on the Google Play Store.
How Does Judy Work?
Judy was primarily a malvertising problem. The app didn’t steal users’ data or monitor account information. Instead, the app was exclusively designed to click on Google ads across the internet. This would generate fraudulent revenue for attackers.
There’s no evidence that Judy compromised data on infected phones.
36.5 million users may seem like a high number. However, Judy may have spread to an even greater number of phones than original estimates: two popular Judy apps were not included in Checkpoint’s tally, including Fashion Judy: Masquerade Style and Fashion Judy: Magic Girl Style.
The apps were created by a number of different publishers. Multiple apps were linked to a Korean organization called ENISTUDIO, however, which is the only publisher to appear on the list multiple times.
How Did Judy Hide for So Long?
The big question about the Judy malware is how the malware was able to hide for so long.
The major reason is because the malware’s payload was downloaded from a non-Google server after the apps were installed. Once the payload was installed, the app would start to click on Google ads and generate fraudulent revenue for attackers.
Ultimately, Google has removed all instances of Judy apps from the Google Play Store. However, the fact that the apps were freely available for so long on the app store is bad news for Android’s security ecosystem – and good news for supporters of Apple’s walled garden approach to app security.