On May 25, 2017, Checkpoint reported a malware family named Judy as possibly the largest malware campaign ever. According to researchers, Judy is “an auto-clicking adware which was found on 41 apps developed by a Korean company. The malware uses infected devices to generate large amounts of fraudulent clicks on advertisements, generating revenues for the perpetrators behind it.” Google has removed all known apps from the Play Store.
The authors were proactive in their attempts to evade Play Store detection based on the use of dynamic updates as well as uniquely signing apps.
There appear to be no attempts to perform data exfiltration or typical malware related activities, as these activities undermine the author’s ability to generate click fraud revenue.
This malware continues in a trend of applications that present a low threat to mobile device data confidentiality, integrity, and availability while attempting to target click fraud monetization via dynamic updates post installation. Should the authors monetization be negatively impacted, they may seek more dangerous approaches that introduce greater risks to devices.
While the media reports suggested this as possibly the largest malware campaign ever, it was not an attack on enterprise data or specific users.
We recommend that all users:
- Only install apps from trusted sources
- Read app details and reviews to look for warnings before installing
Additionally, enterprises should use a security product to evaluate device risks and application behaviors before allowing access to enterprise resources.
Appthority customers are automatically protected from the Judy malware. In addition to targeting the applications’ behavior for detection, Appthority has added detection for all apps from the author, Kiniwini games. Should the author release a non-click fraud app in the future, the app will still be flagged as the author can no longer be trusted due to their malicious use of dynamic updates. Thus, apps by the Judy developer will be identified with the “Known Malware” application behavior.
Contact Appthority if you have any questions around impacted Judy Click Fraud apps in your environment.