Google has now deleted 6 apps from its Google Play marketplace that were infecting users with the Joker malware (a.k.a. Bread).
The 6 malicious apps have been removed from Google Play but could still endanger 200,000 installations.
Together, the apps – which have abilities ranging from text messaging to emoji wallpaper – account for nearly 200,000 installs, researchers with Pradeo commented in a post .
Google confirmed that all infected applications have now been removed from Google Play, but researchers explained that they are still installed on the devices of their users, & asked users to immediately delete the apps.
“Most apps embedding Joker malware are programmed to load & execute external code after being published on the store,” Roxane Suau, with Pradeo, observed. “1st, these apps are riddled with permission requests & submitted to Google Play by their developers.
They get approved, published & installed by users. Once running on users’ devices, they automatically download malicious code. Then, they use their many permissions to execute the malicious code.”
The apps found with malware are:- Convenient Scanner 2 (100,000 installs), Separate Doc Scanner (50,000 installs), Safety AppLock (10,000 installs), Push Message-Texting & SMS (10,000 installs), Emoji Wallpaper (10,000 installs) & Fingertip GameBox (1,000 installs). Extra information on these apps is here.
These apps were specially developed by individuals who programmed them to act maliciously, Suau explained. Suau further suggested that looking at the apps’ ratings revealed several ‘red flags’, including reviews that say that the apps are fake.
Joker is a billing-fraud family of malware (which researchers call “fleeceware”) that was noted in 2017, but began to increase in 2019.
It looks like a genuine app, but when installed, simulates clicks & intercepts SMS messages to subscribe victims to unwanted, paid premium services (unknown by them), researchers explained.
Malicious apps spreading the Joker still avoid Google Play’s protections since 2019, because the malware-maker keeps making small changes to the code.
“By using as little code as possible & thoroughly hiding it, Joker generates a very discreet footprint that can be tricky to detect,” Suau suggested.
In 2020, the Joker malware has continued to do well on Google Play. In July, Google removed 11 malicious Android apps from the store that were spreading the malware, & in Jan., researchers revealed that Google had removed 17,000 Android apps to then that had been access routes for the Joker malware.
Hank Schless, Senior Manager for Security Solutions at Lookout, explained that researchers still find Joker appearing in Android apps, & now with workforces going largely remote due to the current, ongoing pandemic, the danger of Joker being spread via productivity apps is growing.
“Because of how frequently Joker & other discreet malware appear in a wide variety of apps, mobile users need to leverage mobile security in order to keep themselves & their organisations safe,” he commented.
“Especially in a time of global remote work, mobile devices & tablets are used for both work & personal reasons. If you download an app infected with Joker or other malware, you’re giving the threat actor access to your personal data as well as any company data you access from that device.”
The re-emergence of Joker malware in the Google Play Store also shows the challenge of how users can know if a piece of software is reasonably secure, Jonathan Knudsen, Senior Security Strategist with Synopsys observed.
“In an app store, it’s impractical to understand the development processes for every app, so the store must rely on security testing to assess submitted apps,” he outlined.
“For many organisations, however, the procurement process offers untapped opportunities to assess how vendors build software, to perform rigorous testing, & to make informed decisions based on risk.”