Technical Malware Analysis: Judy [Korean Origin].

"ALL MOBILE USERS SHOULD BE AWARE OF THE APPLICATIONS THEY ARE INSTALLING ON THEIR PHONES"

Intro

This article is designed to give a brief overview of a malware variant named 'JUDY' I dissected inside a sandbox environment, and monitored its behavior. Here are my finding and recommendations.

The birth-point:

A few months back, a widespread malware variant had been detected on the Google’s official Play Store. It had rapidly infected more than 36.5 million Android users. 41 apps developed by a Korean company named 'Kiniwini', registered on Google Play as 'Enistudio Corp' have been found as infected.

The reason for the enormous spread:

The malware variant had successfully bypassed the Google Play’s protection “Bouncer”.

Why was Judy undetected for over a year?

The actual malicious payload is downloaded from an external non-google server only after the infected application has been installed on the device.

Google’s Response:

On being alerted by Checkpoint, a leading security firm, Google play store has swiftly taken down all the concerned applications.

Where was JUDY?

The infected apps are present on the google play store under an array of casual cooking and fashion games under the “Judy” brand.

Several other apps developed by other developers are also found containing the malware. It was later discovered they had borrowed code from the “Judy” line of games.

Basic Operation:

Click Baits – The malware uses infected devices to generate large amounts of fraudulent clicks on advertisements to produce revenues for the malware’s author and other perpetrators.

How does JUDY work?

Judy is an auto-clicking adware. It relies on the communication with its Command and Control server (C&C) for its operation. Hackers create a bridgehead app and insert it into the app store. This app sought to establish a connection with the victim’s device (the command-and-control server response is shown above).

STEP-BY-STEP:

1. Malicious app downloaded by the user.
2. App silently registers the infected device to establish connection with the C&C server.
3. Server replies with the actual malicious information, including JavaScript code, a user-agent string and URLs controlled by the malware author (Javascrpt payload shown above).
4. Malware then opens the URLs through the User Agent imitating a PC browser in a hidden webpage.
5. Malware receives a redirection to the target website.
6. On the Target website, the malware uses the JavaScript code to locate and click on ads.
7. Upon clicking the ads, the malware author receives payment from the website developer, who pays for the illegitimate clicks.

JUDY’s Effect on the Android User:

Up till now there has been no evidence of any data being compromised on the infected device. Also the malware only generates revenue on the website developer’s end, incurring no direct financial harm to the devices’ user.

Solution & Recommendations:

If your device is infected it is advisable to backup all your essential data and format the device.

However the detection of this malware has raised serious questions on the security measures of the Android OS.

All mobile user must practice good cyber security hygiene by regularly reviewing installed apps, monitoring batter levels on phones, excessive consumption could mean an application is running in the background.

Download or purchase a good and reputable anti-virus or malware scanner.

For those of you who want to learn more, Checkpoints blog regarding this malware can be found here

THANK YOU FOR READING. PLEASE LIKE, SHARE AND SPREAD THE KNOWLEDGE!