The cyber world is still under the process of recovering from recent ransomware “wannacry” attack on windows SMB vulnerability

(a.k.a) eternal blue exploit, another malware has strike mobile application distribution platform by name “JUDY” compromising

36.5 million phones across the globe. The renowned security research agency ‘checkpoint’ has identified“JUDY” malware and the 

infected mobile applications hosted on the Google Play Store.

JUDY Malware

JUDY malware is designed to target the smartphone mobile users, according to the research by checkpoint it is identified and reported that JUDY malware is primarily spread through the mobile applications registered and hosted on google play store by Korean mobile application developer.

JUDY Malware Impact :

It affects the smartphone user by downloading the disguise or malicious app to the mobile phone from google play store. This malicious application in stealth mode establishes connection with Command and Control (C&C) server and sends request to C&C server. Further C&C server shall reciprocate to the request and delivers the malware payload in form of javascript code to the mobile phone, JavaScript code includes user agent string of URL’s controlled and owned by perpetrators. JUDY opens URL owned by malware creators through the user agent string that emulates the browser and redirects to another website and clicks on the banners connected to Google Ad network.

JUDY malware is delivered as payload by surpassing the Google Protection layer. This malware is developed with a plan to create huge revenue stream by illegitimate traffic to website and generate clicks on the ads placed on the website though fraudulent procedures. JUDY apart from generation of clicks on the website through illegitimate web traffic, it also abuses the users forcing them to click on certain ads tagged with infected apps downloaded from google play store to generate illegitimate click-per-view revenues. This activity pops up unusual screen activity on user mobile.

JUDY - Behind Screen

The checkpoint during the research on googleplay store has found that the JUDY malware is enrouted through the applications developed that are 

hosted under the account of ENISTUDIO corp, this google playstore account is owned by the korean company by name Kiniwini. It is also observed 

during the research of checkpoint that these mobile applications were last updated as second campaign in April 2016, hence this goes to show its 

existence on google in play store from longtime.

JUDY - Infected Apps on Google Play Store

As above stated, the malware is installed through the apps that are hosted on google play store by account name of ENISTUDIO corp and below are the few infected applications identified.

Partial - Infected Mobile Applications List.

Fashion Judy: Snow Queen style, Fashion Judy: Pretty rapper, Fashion Judy: Teacher style, Fashion Judy: Wedding Party, Fashion Judy: Bunny Girl Style, Fashion Judy: Frozen Princess, Fashion Judy: Uniform style, Fashion Judy: Vampire style , Fashion Judy: Wedding day, Fashion Judy: Waitress style ,Fashion Judy: Country style, Fashion Judy: Myth Style, Fashion Judy: Twice Style, Fashion Judy: Couple Style, Fashion Judy: Halloween style, Fashion Judy: EXO Style, Animal Judy: Rabbit care, Animal Judy: Dragon care, Animal Judy: Persian cat care, Animal Judy: Nine-Tailed Fox, Judy’s Spa Salon, Chef Judy: Service Station Food, Chef Judy: Dalgona Maker, Animal Judy: Cat care, Animal Judy: Dog care, Animal Judy: Fennec Fox care, Animal Judy: Feral Cat care, Judy’s Hospital:pediatrics, Chef Judy: Picnic Lunch Maker, Chef Judy: Character Lunch, Chef Judy: Birthday Food Maker, Chef Judy: Hotdog Maker – Cook, Judy’s Happy House, Animal Judy: Elephant care, Animal Judy: Sea otter care, Chef Judy: Chicken Maker, Chef Judy: Jelly Maker – Cook, Chef Judy: Udong Maker – Cook , Chef Judy: Triangular Kimbap, Chef Judy: Halloween Cookies, Animal Judy: Teddy Bear care.

Upon the alert from checkpoint on security breach and malwares spread through the infected mobile apps, Google play store has taken down all the infected apps and removed account from app distribution repository.

Do I have threat with this event ?

Of course yes, this incident goes to show that there might be more malware that are existing in stealth and covert mode that can surpass the google play store protection shield. It is very important to think twice on each app and check the credentials of its developer before you download and install.

Possible Remedial Measures.

• Scan for vulnerabilities through legitimate AV application.

• Do not install any applications from unknown/non-certified sources. Check the permissions on mobile phone requested by app during installation and confirm whether is it really required.

• Check and Disable the “Install Software from Unknown Sources” on your smartphone. Avoid connecting to the unsecure public networks wifi networks.

• Monitor the smartphone activity (i.e) active applications, browsers to identify the unusual activities on mobile. Take periodic backup of the mobile data to standalone drive or cloud.

With efforts of checkpoint research on malware, google has identified the infected apps and further removed them,  JUDY malware once again proves that the blackhats and perpetrators evolve new techniques and methods to compromise the technology platforms.