Posted on December 19, 2021 at 5:05 PM
Android users have been targeted by a new application used to deliver the Joker malware. The application is hidden on Google Play Store, and the platform has already warned those who had downloaded it to uninstall it.
The malware was detected by cybersecurity researchers from Pradeo. While the app has been removed from the android app marketplace, it has affected over half a million Android users.
Joker malware disguised as messaging app
The Pradeo report states that the app was listed on Google Play Store as a ‘Color Message’ application. It was downloaded by over half a million users on the Play Store, showing that the app had a great reach, affecting many users.
The app in question is known as “Color Message.” According to the developers’ description, the app was used by users to personalize their default SMS messages, but instead, it was used as a front to deliver the Joker application on these devices.
Joker is one of the most popular malware used to target Android devices. Joker is categorized as Fleeceware, and it is used by people to generate clicks and intercept SMS messages. Moreover, it is also used to make a subscription to unwanted paid premium services that are unknown to users.
The Joker malware is very effective and stealthy in its mode of operation. It uses very little code to gain access to the user’s information. Additionally, it hides its movement to ensure there is little or no footprint regarding the operations. Therefore, once this malware has infected a device, it can be hard to detect it.
The malware is very common among applications. Over the past two years, it has been detected on hundreds of apps, leaving hundreds of thousands of users vulnerable to attacks and infiltration of their personal data.
After the malware has been installed on the user’s device, it functions by running various things. The first is that it simulates clicks. This allows the threat actors behind the malware to generate revenues by running malicious ads on the user’s devices.
The other thing this malware does is that it unwillingly subscribes users to engage in unwanted paid premium services. The threat actors do this intending to steal money from these users, thereby committing billing fraud.
The other thing is that it also accesses the users’ contact lists. After the numbers have been accessed, the platform goes ahead and sends the discovered details to the attackers. According to the report, the details are sent to servers based in Russia.
The report further adds that “the application’s very concise terms and conditions are hosted on an unbranded one-page blog and do not disclose the extent of the actions the app can perform on users’ devices. One of the victims has even tried reaching out to the application’s developer through the comment section of the legal page; other users are directly complaining about the fraud in the comment section of the app on the store.”
The application already had negative reviews on Google Play Store, with users stating that it was conducting actions for which it was not authorized. Some of the users stated that the app was deducting charges from their devices for services that they had not requested or gained access to.
Google Play fails to hide malicious apps
Google Play has a system in place that prevents the publication of malicious apps on the platform. However, the systems are not strong enough to prevent these malicious apps from bypassing them; some developers have managed to post malware on the platform.
A cybersecurity researcher from Pradeo spoke of this development, stating, “by using as little code as possible and thoroughly hiding it, Joker generates a very discreet footprint that can be tricky to detect.”
The researchers and Google Play Store have urged those who had downloaded the malware to uninstall it from the platform.
This is not the first time the Joker malware has been detected on Google Play Store. Cybersecurity researchers have stated that the malware has been operating on the Play Store for the past two years. Moreover, the malware is expected to continue operating on the platform, given the highly persistent nature of the attackers behind its development and distribution.
Reports from Google show that the malware has been taken down from the platform. Additionally, the users who have uninstalled it from their devices have a chance of preventing the malware from conducting additional attacks.