09 July 2018

Judy Malware Note

The Android operating system dominates the mobile market with a share of around 72 percent (more than 2 million monthly users, according to Google). According to security company G DATA in the first quarter of 2017 every day on average there were happening 8,400 new Android malware instances (https://www.gdatasoftware.com/blog/2017/04/29712-8-400-new-android-malware-samples-every-day). 

It’s not surprising that when ARG Security Operations group got a question regarding “Judy” Android software, allegedly a Trojan malicious app, we treated this seriously and scrambled everyone available to perform an in-depth research. At that time it was believed that “Judy” has infected around 36.5 million users - a significant number that didn’t allow us to not pay attention to this threat. According to several reports, mobile ad revenue stealing malware is earning figures like $300,000 to $345,000 monthly (https://research.checkpoint.com/rottensys-not-secure-wi-fi-service/https://blog.checkpoint.com/wp-content/uploads/2016/07/HummingBad-Research-report_FINAL-62916.pdf).

The request was to identify Command and Control servers utilized by “Judy”. Initial confirmation of maliciousness came from Malwarebytes staff, who confirmed that they detect software as "Android/Trojan.HiddenAds.shin”.

Later a CheckPoint blog post was referenced that also talked about the “Judy” app and provided the list of malicious .apk files. The blog post did not contain any CnC servers, so the research team decided to check the software itself to see if it can be reverse engineered to find a CnC domain from the code itself. Below is the steps we’ve taken during the research:

  1. The “Judy” apps are no longer on the Play Store, so to obtain one of them we googled the package name given by Check Point (air.com.eni.FashionJudy061; app name: Fashion Judy: Snow Queen style) and used a play store scraper website apkmonk.com. Apkmonk seems to have a legitimate reputation of being just a scraper, we didn’t find any reports of them embedding anything into distributed apk files.
  2. Downloaded "Fashion Judy: Snow Queen style” from the apkmonk.com website, the app is of the same version as reported by Check Point to be malicious - version 1.510 from 3/24/2017.
  3. Extracted the classes.dex file from the apk and converted it to Java jar file using dex2jar-2.0 tool.
  4. Reverse engineered the jar file using the JD-GUI decompiler (JD-GUI version 0.3.6, JD-Core version and the fernflower decompiler (version from 08/04/2012). Both decompilers produced similar results.
  5. Analyzed the decompiled code for domain name like artifacts, found the following list:
  • Started the Android Emulator instance (API 19, Android 4.4, Nexus 5) and started the app inside the emulator.
  • Monitored the network activity using Wireshark, found the following queries, related to the app:
  1. All of the above websites are likely to be an mobile app statistics service and very unlikely to be CnCs, there is no mentioning of them associated with any malware and the traffic to them is high. Additionally our client’s team discovered that "app-service[123].com" domains are owned by an app marketing company.
  2. With the exception of m.kiniwini.com, the domains are standard advertisement services (tracking, statistics, etc.)
  3. During discussion with our client’s team we decided that m.kiniwini.com may be an indication of “ Judy” apps installs, they ran a machine learning model for this domain, got the following correlation:

The most similar domains to kiniwini.com.,1 are:

Domain name Similarity score Query type
battletcg.net 0.87 1
adsystem.kr 0.82 1
comolink.co.jp 0.80 1
atoonz.net 0.79 1
  1. The above correlated domains seem to also be related to ad business.
  2. Additional reverse engineering and static analysis was done on the previous version of Chef Judy: Halloween Cookies app (air.com.eni.ChefJudy058). Check Point mentions an update from 4/10/2017, the analysis was done on the apk from 10/19/2016.
  3. The code contained references to shinhwa21.com domain in the net.shinhwa21.jsylibrary module:
  1. After analysis, an existing review of a suspicious file with reference to the same domain was found: https://www.hybrid-analysis.com/sample/e09a61b4d5dcfbc4a921e60309488bd7773e448fa4bcb7da23f7d6c03f5d9f4c?environmentId=200
  2. However, based on the discussion and analysis of the domain behavior and the current traffic to the domain we believe that this is not the CnC and some artifact related to Korean mobile app ad scene.
  3. Proposed next steps: setting up a hardware environment for running the app on a real android device and analysing the traffic pattern in that case in order to eliminate the possibility of app detecting the emulator and not contacting the CnC.


As a result of the above research and discussion we believe that the “Judy” apps are not really malware, but instead a click-fraud app that designed to lure the users to click on different ad campaign ads and profit from those clicks. It should fall in the category of “Potentially Unwanted Apps” rather than “real” malware.