Judy, Kiniwini
Image: Google Play.

On Thursday, Check Point revealed it had found a new malware campaign plaguing Android devices. Developed by a Korean company named Kiniwini and published by ENISTUDIO Corp., the software is available on Google Play. Also known as Judy, it makes people click on ads unwillingly to generate fraudulent revenue.

The security researchers claim the malicious code was present in more than 40 apps uploaded by ENISTUDIO Corp. to Google Play. Apps by the same developer are up for download over at the App Store on iOS devices, but analysts said they did not find traces of the campaign in those versions.

Variants of the Judy malware are also inside other apps not linked to these content makers, which extends the reach it could potentially have had. Google removed the apps by the identified parties after notice from Check Point, but they could have infected more than 30 million devices already.

What is Judy and how does it work?

Judy, which gets its name from the central character of the Kiniwini app franchise, is a piece of malware that essentially takes over your device to click on ads in websites developed by the same creators to make fake revenue on them.

To achieve this, the developers created what Check Point dubs as a bridgehead app. This protocol hides within other apps, and it triggers upon download on a user’s terminal.

The bridgehead app is designed to look legitimate and to bypass Google Bouncer, the gatekeeper that reviews suspicious content on Google Play. What it does afterward is it establishes communication between the device and the server so hackers can effectively use the smartphone or tablet as an ad-clicking bot.

Once installed, a JavaScript stream of code also contained in the app launches and starts redirecting the user to websites in which it automatically searches and clicks on banners by Kiniwini.

How to know if you are affected and how to solve it

It is simple: if you have not installed any apps developed by Kiniwini or published by ENISTUDIO Corp., then most likely you are clear. Also, the other apps detected to be carrying Judy are Korean, so if you are not a Korean Android user, you’re probably safe.

It is still unclear how long the Judy malware has been lurking in Google Play, but some of the apps were last updated as far as last year, which suggests they could have been around for a considerable time.

Check Point alerted Google of the issue, and as of the moment of the report, the tech giant had already removed all the ENISTUDIO Corp. apps from the repository. If you have one of these Judy apps installed, researchers prompt you to uninstall and delete immediately.

Source: Check Point