Android: Judy Malware

Original Issue Date:- May 30, 2017
Type:- Adware
Severity:- Low

It has been reported that a malware named as “Judy” targeting android devices was spreading via Google’s official app store. The malware is an auto clicking adware which compromises the android devices and fraudulently use them for clicking on advertisements thereby generating revenues for the attackers/ malware authors.

Information about Malicious Apps:

It has also been reported that the apps that were used to perform malicious activities are developed by company named “kiniwini” which is registered with the name of “ENISTUDIO Corp Ltd.” On Google play store.

There were about 41 such applications which were compromised or malicious in nature and were hosted on Google Play Store.

These apps are mostly cooking and fashion games under the ‘Judy’ brand. One of the malicious app is shown below:

These applications are capable of performing the following functions:

  • Displays large number of advertisements thereby forcing users to click on the advertisements.
  • Make fraudulent auto clicks on advertisements to generate revenues.
  • Make network connections to remote command and control server.

These apps are embedded with the malicious code which is capable of bypassing the Google Play store’s security policy that checks the applications before hosting on the Play store. Upon successful installation of these malicious apps on the victims device, it

  • Makes a network connection to CnC server which downloads actual payload, JavaScript, URL and user agent string controlled by malware author.
  • The malware author then browse the URL and redirects the victims to the targeted website.
  • Thereafter the malware executes the JavaScript to locate and click on banners from the Google ads infrastructure.
  • These clicks results in generating revenues for the malware authors.

Note: Currently Google Play store has removed all the applications developed by “ENISTUDIO Corp Ltd.”.

Indicators of Compromise:

The following apps are reported to be malicious: (Users are advised to uninstall these apps)

air.com.eni.FashionJudy061, air.com.eni.AnimalJudy013, air.com.eni.FashionJudy056, air.com.eni.FashionJudy057, air.com.eni.AnimalJudy009, air.com.eni.ChefJudy058, air.com.eni.FashionJudy074, air.com.eni.AnimalJudy036, air.com.eni.FashionJudy062, air.com.eni.FashionJudy009, air.com.eni.ChefJudy055, air.com.eni.ChefJudy062, air.com.eni.FashionJudy067, air.com.eni.AnimalJudy006, air.com.eni.FashionJudy052, air.com.eni.AnimalJudy033, air.com.eni.ChefJudy059, air.com.eni.ChefJudy056, air.com.eni.AnimalJudy018, air.com.eni.AnimalJudy035, air.com.eni.JudyHappyHouse, air.com.eni.ChefJudy036, air.com.eni.ChefJudy063, air.com.eni.FashionJudy051, air.com.eni.FashionJudy058, air.com.eni.ChefJudy057, air.com.eni.ChefJudy030, air.com.eni.AnimalJudy005, air.com.eni.JudyHospitalBaby, air.com.eni.FashionJudy068, air.com.eni.AnimalJudy034, air.com.eni.FashionJudy076, air.com.eni.FashionJudy072, air.com.eni.AnimalJudy022, air.com.eni.AnimalJudy002, air.com.eni.FashionJudy049, air.com.eni.AnimalJudy001, air.com.eni.FashionJudy053, air.com.eni.FashionJudy075, air.com.eni.ChefJudy038, air.com.eni.ChefJudy064, air.eni.JudySpaSalon

Source: Checkpoint

List 2: Malicious Apps developed by other developers

Note: List of the SHA256 of the malicious apps, can be downloaded from here

Countermeasures:

  • Do not click on banners or pop-up or ads notifications on android device.
  • If any of the malicious apps mentioned in the above Indicators of Compromise (IoC) are installed, then uninstall the same.
  • Refer to security tips for mobile Phone:
    http://www.cyberswachhtakendra.gov.in/documents/Mobile_phone_Security.pdf
  • Install Android updates and patches as and when available from Android device vendors
  • Install and maintain updated mobile security/antivirus solution
  • Do not download and install applications from untrusted sources. Install applications downloaded from reputed application market only.
  • Do not check "Untrusted Sources" checkbox to install side loaded apps.
  • Read the app's terms and conditions, specifically permissions required by the app before installing.
  • Enable 2-factor authentication for your Google/other accounts.
  • Run a full system scan on device with mobile security solution or mobile antivirus solution.
  • Check for the permissions required by an application before installing.
  • Exercise caution while visiting trusted/untrusted sites for clicking links.
  • Users are advised to use device encryption or encrypting external SD card feature available with most of the android OS
  • Users are advised to keep an eye on Data usage (application wise usage also) and unusual increase in mobile bills
  • Users are advised to keep an eye on device battery usage (application wise usage also)
  • Load Flash content on demand
  • Use Android Device Manager to locate, remotely lock, or erase your device
  • Avoid using unsecured, unknown Wi-Fi networks. There may be rogue Wi-Fi access points at public places used for distributing malicious applications.
  • Make a practice of taking regular backup of android device

References