Google Play store games infected 36.5 million users with malware

Online security researchers at Checkpoint have recently come across a zero-day malware dubbed Judy which was being distributed on the popular mobile download platform Google Play. The extent of this Android-based malware campaign is unprecedented: as many as 41 Judy-related fashion, animal care, and cooking games were found lurking for the unsuspecting players, sometimes, for years at a time. The oldest app with the malicious code dates back to April 2016, thought the real beginning of the malware distribution may go back even further than that. Based on primary estimations, the malware could have potentially affected between 4 to 36.5 million users. If these numbers are accurate, we might be dealing with the biggest Android breach to date. Luckily, Google has already banned all the malicious apps from the Play store, immobilizing the further spread of the malware. However, many are still curious what has made this malware so successful and who stands behind this evil creation. We try to answer these questions below.

Judy apps have been developed by a legitimate Korean company called Kiniwini, though on the Play store they were spreading the malware under the name of Enistudio corp. It is one of the rare cases when legitimate software providers get involved in shady businesses, but they are definitely not the first ones. There are many reasons why legitimate companies choose to do so. Most of the time, they are looking for an easier way to gain popularity or monetize their products. It might just be the case with Judy malware as well. The parasite is primarily designed to use the infected device to visit random websites and generate extensive amounts of clicks on various ads. While the websites behind these ads receive an increased amount of traffic, perpetrators generate advertising revenue. This process is managed via Command & Control center to which Judy apps connect whenever the infected device is connected to the network ^[1]. The first time malware establishes this connection it downloads the malicious Javascript payload which is later used to generate automated clicks. As if that’s not enough, the malware also generates intrusive ads on the phone’s web browser, often forcing the victims to click the ads manually.

What has led Judy applications to become so popular was the fact that they all had good ratings on the Google Play store and were praised by the users. Only these were NOT legitimate ratings. The criminals auto-generate obscure comments such as “Fun” “Awesome Game,” etc. to boost the ranking of their malicious apps, making them more look more trustworthy and appealing. So, next time you feel like brightening your day with some fun new game, don’t just go downloading random apps without closely examining them. Go through the desired product reviews attentively, check what permissions does it require and spare a minute to skim through the EULA.