S0325: Judy

Judy matters because it shows a mobile app risk that can pass through a trusted distribution path and then create unwanted outbound activity from user devices. For leaders, the practical issue is not only “adware,” but whether the organization can see which mobile apps are installed, whether apps can download new code after installation, and whether abnormal device-generated web traffic would be noticed before it becomes a fraud, privacy, compliance, or incident-response problem.

Executive priority

Prioritize this as a mobile application governance and visibility question. Executives should ask whether corporate or BYOD mobile devices are covered by app inventory, app-source policy, mobile threat monitoring, and response procedures for removing risky apps. Because ATT&CK provides no official detection text for Judy, assurance should come from validated telemetry and control evidence rather than assumptions that app-store sourcing alone is sufficient.

Technical view

ATT&CK describes Judy as auto-clicking adware distributed through multiple apps in the Google Play Store. The relationship context links it to Download New Code at Runtime (T1407) and Generate Traffic from Victim (T1643). SOC, mobile security, and IR teams should validate whether they can identify apps that retrieve executable or dynamic code after installation and correlate that with unusual outbound web traffic from mobile devices. Treat this as a behavior-driven detection problem: app identity, install source, runtime network activity, and post-install code retrieval are more useful than static app presence alone.

Likely telemetry

Mobile device and application inventory, including app name, package identifier where available, version, install time, and install source
Mobile device management or enterprise mobility logs showing approved, blocked, removed, or unmanaged apps
Mobile network, DNS, proxy, secure web gateway, or mobile threat defense telemetry showing outbound web traffic generated by devices
Signals of runtime code download or dynamic content retrieval by mobile apps, where available
Application permission and behavior metadata, especially permissions or behaviors associated with traffic generation

Detection direction

Validate visibility into post-install behavior, not just pre-install or app-store reputation, because the related technique T1407 involves downloading new code at runtime.
Look for combinations of suspicious mobile app inventory plus abnormal outbound web traffic consistent with T1643, while tuning for legitimate ad-supported apps and normal background traffic.
Confirm whether mobile telemetry covers personally owned devices used for business access; BYOD gaps can materially reduce detection and response confidence.
Use relationship-driven hunting: apps with unexpected runtime downloads, unusual domains, high-volume web requests, or traffic patterns inconsistent with user activity should be reviewed together.
Document what cannot be detected. The ATT&CK object provides no official detection guidance, so local control validation is required before claiming coverage.

Mitigation priorities

Establish or validate mobile app governance: approved app sources, app allowlisting or risk-based blocking where appropriate, and clear handling for apps distributed through trusted stores but later found risky.
Require mobile app inventory for devices accessing business resources, with a defined process to identify and remove unwanted or risky applications.
Strengthen review of mobile apps that download code or content after installation, especially for managed devices and sensitive user populations.
Monitor and control mobile egress through available network, DNS, proxy, or mobile security controls to support investigation of abnormal traffic generation.
Maintain IR procedures for mobile adware or unwanted app incidents, including user notification, device scoping, app removal, credential-risk review when business access is present, and evidence capture for audit readiness.

Analyst notes and limits

The strongest decision value is the gap test: can the organization prove which mobile apps are installed and whether those apps generate abnormal outbound traffic or retrieve new code after installation? Judy is useful as a planning case for managed detection, mobile security, incident response, compliance evidence, and BYOD governance because the official ATT&CK record is sparse but the related behaviors are operationally meaningful.

The supplied Judy object does not specify platforms, tactics, aliases, labels, or official detection guidance. The description references distribution through Google Play Store, and related techniques list Android and iOS, but platform-specific conclusions should be validated against local mobile fleet data. No active exploitation, attribution, impact, or guaranteed detection coverage is implied by the supplied fields.

Official MITRE ATT&CK definition

Judy

Judy is auto-clicking adware that was distributed through multiple apps in the Google Play Store. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 2 rows

Domain	ID	Name	Relationship / procedure
Mobile	T1643	Generate Traffic from Victim	Judy uses infected devices to generate fraudulent clicks on advertisements to generate revenue.CitationCheckPoint-Judy
Mobile	T1407	Download New Code at Runtime	Judy bypasses Google Play's protections by downloading a malicious payload at runtime after installation.CitationCheckPoint-Judy

Relationship explorer

All related ATT&CK context

uses · Technique T1643: Generate Traffic from Victim Mobile uses · Technique T1407: Download New Code at Runtime Mobile

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 17, 2018, 00:14 UTC (UTC+00:00)
Modified: Apr 25, 2025, 14:40 UTC (UTC+00:00)
Raw hash: 9e07dcd70be7b4b6...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Apr 25, 2025, 14:40 UTC (UTC+00:00)	Current bundle	`9e07dcd70be7…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
CheckPoint-Judy

CheckPoint. (2017, May 25). The Judy Malware: Possibly the largest malware campaign found on Google Play. Retrieved September 18, 2018.
Open source URL
[2]
Judy

(Citation: CheckPoint-Judy)
[3]
mitre-attack S0325
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams