A new Android malware called Judy has infected more than 36.5 million Android devices worldwide. Security firm Checkpoint reported the news this past Thursday, when they discovered “dozens” of Android applications that infected users’ devices.
In one case, an infected app had been listed on the Google Play Store for more than a year.
The full extent of the malware’s spread is unknown. However, Checkpoint believes it has infected more than 36.5 million users – which would make it one of the most widely-spread malware programs ever found on the Google Play Store.
After the Checkpoint report, Google removed the apps from the app store.
The malware is being called “Judy” because the infected apps were a series of casual cooking and fashion apps under the brand name “Judy”.
One of the reasons the malware lay dormant for so long was because its malware payload was downloaded from a non-Google server after the programs were installed.
After the payload was installed, the app would use the infected phone to click on Google ads and generate fraudulent revenue for attackers.
Checkpoint’s estimate of 36.5 million infections may actually be low: a number of “Judy” apps weren’t included in Checkpoint’s estimates, including Fashion Judy: Magic Girl Style and Fashion Judy: Masquerade Style.
Who’s Behind the Judy Malware?
All of the Judy apps appear to have been published by a Korean organization known as ENISTUDIO. However, ENISTUDIO wasn’t the only developer responsible for Judy-infected apps, and apps have been traced back to a variety of publishers.
There’s some good news about Judy: the malware appears to primarily be an ad-focused malware. There’s no evidence that it compromised data on infected phones.
The real scary part about Judy is that it hid from Google so long – in plain sight on the Google Play Store.
Millions of Android users were able to download and install Judy apps without triggering any of the layers of defense that typically protect Android users. This is more fuel for fans of Apple’s “walled garden” approach to app security, where each app receives manual approval from Apple before being listed on the Google Play Store.
Fortunately, all instances of Judy apps have been removed from the Google Play Store. Nevertheless, it’s possible that other apps could carry similar malware.