Breach, Malware

Judy Malware Infects Millions of Android Devices

Attacks on mobile devices are certainly increasing. I've always stated that malware developers will go for the widest possible spread. Since mobile devices are what we use the most, it only makes sense that attackers will be targeting them more frequently. Among the last examples: Check Point recently discovered a new malware strain dubbed "Judy" already infecting millions of Android devices.

Android Malware Called Judy: How It Works

Once a user has downloaded the malicious app, the software makes a call to a server. Then, the mobile device is sent more code that has the payload for the Judy malware. This helps Judy get around Android's Bouncer and allows the app to be approved for the official Google Play store. Once the app has received the new instructions, it will open web pages in a hidden browser and click the ads on that site. These clicks translate into dollars for the malware developers, as they get paid from the advertisers for the clicks from all of the various infected devices.

Problems for your device

As the malware opens websites and clicks the advertisements on them, your device will definitely have performance issues. The device will be slower to start applications, could overheat easily, and the Internet connection can become extremely slow. You may also see your data usage significantly increase from your mobile carrier. This malware can also cause popups to appear on your device, in addition to the ones being clicked on the hidden browser, that will force you to manually click their ads as well.

How to tell if you are infected

Many of the symptoms listed above can point to an infection, but you can also check for some specific apps. Since the apps themselves have been around for a while, and had a relatively good rating, and install count, it could have infected between 8 million to 36 million devices. Most of the apps infected with this malware use Judy in the title, such as Chef Judy, Fashion Judy, Animal Judy, etc. from ENISTUDIO corp. The apps have already been pulled from the Google Play store, but definitely, check your devices to see if you have any of these applications. It has also appeared in a few other applications not created by ENISTUDIO corp, so a good idea would be to run a virus scan on your device to verify that it has not been infected.

How to Protect Android Users

Installing a virus scanner on mobile devices is becoming increasingly important. As attackers increase their assault on mobile devices, virus protection is going to be as essential as it already is on a desktop or laptop computer. Creating a regular schedule on devices to run malware scans will help discover threats before too much damage can be done. Even if an app is scanned as it's installed, it is a good idea to run frequent scans to locate items like Judy that brings the malicious payload after it has been installed.

Also, be sure to monitor the apps that are being installed on devices. Often children will install or request apps on our devices that you wouldn't normally install. Make sure any application installed is from a highly trusted source, usually a name brand that you know and recognize immediately. Also, it's a good idea check for brand name misspellings like D1sney. It can certainly appear to be legit to a person who is not paying close attention. As evidenced by this infection, install count and user reviews can be quite meaningless. Especially when the malicious payload has nothing to do with the application itself, and performs most of its functions in the background.

Lastly, MSSPs should pay attention to the permissions granted to an application during installation. The apps will no longer ask for the permission upon install. They will wait until you load the app and it tries to use the appropriate permission and then it will ask. So be sure to tell any children using the device that they are not allowed to click "allow" on anything that pops up. A game doesn't need to have access to email or contacts. Be very aware of exactly why the application would need the permission and ask yourself if it's worth it to grant it.

Related Terms

AdwareAttack Vector

You can skip this ad in 5 seconds