Researchers say the six apps had combined total of 200,000 downloads – and users who installed them should delete them.
Cybersecurity researchers have unmasked six applications on the Google Play store with a combined total of over 200,000 downloads in yet another example of the highly persistent malware that has been plaguing Android users for the past three years.
Joker malware pretends to be a legitimate app in the Play Store but after installation conducts billing fraud by either sending SMS messages to a premium rate number or using the victim’s account to repeatedly make purchases using WAP billing, which also lines the pockets of Joker’s operators. The activity occurs behind the scenes and without any input required from the user, meaning they often won’t find out that they’ve been scammed until they receive a phone bill full of additional charges.
Google has removed over 1,700 apps containing Joker malware from the Play Store since 2017, but the malware keeps re-emerging and now six new malicious apps have been identified by researchers at cybersecurity company Pradeo. Of the six apps uncovered as delivering Joker, one called ‘Convenient Scanner 2’ has been downloaded over 100,000 times alone, while ‘Separate Doc Scanner’ has been downloaded by 50,000 users.
Another app, ‘Safety AppLock’, claims to ‘protect your privacy’ and has been installed 10,000 times by unfortunate victims who will eventually find that the malicious download harms, rather than protects, them. Two more apps have also received 10,000 downloads each – ‘Push Message-Texting&SMS’ and ‘Emoji Wallpaper’, while one named Fingertip GameBox has been downloaded 1,000 times. The six apps have now been removed from the Play Store after being disclosed to Google by Pradeo. ZDNet has attempted to contact Google for comment; no response had been received at the time of publication.
Users who have any of the applications on their Android smartphone are urged to remove them immediately. The six apps are just the latest in a long line of malicious downloads that the group behind Joker – also known as Bread – have attempted to sneak into the Play Store.
A previous blog post by Google’s Android security and privacy team describes Joker as one of the most persistent threats the Play Store faces, with the attackers behind it having “at some point used just about every cloaking and obfuscation technique under the sun in an attempt to go undetected”. They also note that the sheer number of attempted submissions to the Play Store is one of the reasons it has remained so successful, with up to 23 different apps submitted a day during peak times.
In many cases, the malicious apps have been able to bypass the defences of the Play Store by submitting clean apps to begin with, only to add malicious functionalities at a later date. “These apps are riddled with permission requests and submitted to Google Play by their developers. They get approved, published and installed by users. Once running on users’ devices, they automatically download malicious code,” Pradeo’s Roxane Suau told ZDNet. “Then, they leverage their numerous permissions to execute the malicious code. Security checks of these apps’ source code as it is published on the store do not detect the malware, because it’s not there yet,” she added.
The authors of Joker attempt to encourage downloads of the malware by entering fake positive reviews – although many of the apps identified by Pradeo also have many negative reviews by users who’ve fallen victim to the malware, something that users should look out for when downloading apps. The individual or group behind Joker is highly likely to still be active and attempting to trick more users into downloading malware in order to continue the fraud operation.