In late May 2017, security researchers discovered Android malware in around 50 apps which were available on the Google Play Store.

Known as “Judy”, named after the malicious apps’ character, the malware is installed in parallel when the infected app is installed to the Android device. Researchers explained that the Judy malware is “an auto-clicking adware” which generates money through false clicks on online advertisements. They added that the malware is “definitely an illegitimate use of the users’ mobile devices for generating fraudulent clicks”.

The malware infecting Android devices with software that secretly generates fraudulent clicks for ads means that users have no idea what is happening. It opens URLs using the user agent, which imitates a PC browser and receives a redirection to another website. Once launched, the malware runs JavaScript code to find and click on banners from Google ads. Each time the ads are clicked, the malware creator is paid by the website developer, thereby paying for illegitimate clicks and traffic. It gets away with this by opening a hidden web browser, which the user cannot see, and clicking on the ads in the background. Judy relies on the communication with its Command and Control server (C&C) for its operation.

The common thread between the malicious apps is that the majority of them were created by Korean company Kiniwini, registered on Google as Enistudio. It makes a series of cooking and fashion games that feature a character called Judy, such as: Chef Judy, Princess Judy and Fashion Judy. One of the games, Chef Judy: Picnic Lunch Maker, had a 4.2 rating and been downloaded up to one million times. A high rating does not always indicate that the app is safe. It is easy for hackers to manipulate users into leaving positive ratings, sometimes unwittingly.

Figure 1: Sourced from


Some of the apps have remained undetected on Google Play for several years, however all were recently updated. It is not clear how long the malicious code has existed inside the apps. Based on the number of times the apps have been downloaded (between 4 and 18 million times), the estimated spread of the malware is somewhere between 8.5 and 36.5 million devices.

Since being notified of the discovery of Judy malware, Google has removed all affected apps from the Play Store. Judy was found on 41 apps from Kiniwini and 9 apps from other creators in total. The researchers advised that, “The connection between the two campaigns remains unclear, and it is possible that one borrowed code from the other, knowingly or unknowingly”.

Protecting Against App Malware

Your Android device (tablet or phone) is only at risk of being infected by Judy if you downloaded one of the malicious apps. A comprehensive list was published with the names of all the affected apps in Appendix 1 and Appendix 2. If you still have any of the listed apps on your device, you should delete them immediately.

Malware is not a new thing on the Google Play Store, however every effort has been made over recent years to reduce malicious code from being inserted into the apps hosted by the store. Back in 2012, Google introduced a feature called ‘Bouncer’ which automatically scans the products you upload and blocks any software that might be malicious. This system is not perfect though and malware does sometime sneak through.

As an added feature, Google Play Protect can be accessed through the Google Play Store’s app menu, and automatically checks apps before they are downloaded, removing any harmful apps from your devices.

Also ensure you are always using safe practice techniques to avoid any potential hard, a few tips listed below:

  •    using a VPN for browsing
  •    checking app permissions thoroughly when installing new apps
  •    installing mobile security software
  •    regularly updating any apps and operating systems to the latest versions
  •    uninstalling any app you no longer use or need

•    ensure you are downloading apps from the legitimate and intended developer.