Google Boots Multiple Malware-laced Android Apps from Marketplace

joker malware google play

Google removed eight Android apps, with 3M cumulative downloads, from its marketplace for being infected with a Joker spyware variant.

Google has removed eight apps from its Google Play store that were propagating a new variant of the Joker spyware, but not before they already had garnered more than 3 million downloads.

French security researcher Maxime Ingrao of cybersecurity firm Evina discovered a malware that he dubbed Autolycos that can subscribe users to a premium service as well as access users’ SMS messages,. according to a post he made on Twitter last week. This type of malware–in which malicious applications subscribe users to premium services without their knowledge or consent to rack up payment charges–is called toll fraud malware, or more commonly, fleeceware.

[FREE On-demand Event: Join Keeper Security’s Zane Bond in a Threatpost roundtable and learn how to securely access your machines from anywhere and share sensitive documents from your home office. WATCH HERE.]

Ingrao said he discovered eight applications on the site spreading Autolycos since June 2021 that had racked up several million downloads. The cybercriminals behind Autolycos are using Facebook pages and running ads on Facebook and Instagram to promote the malware, he said.

“For example, there were 74 ad campaigns for Razer Keyboard & Theme malware,” Ingrao tweeted in one of a series of follow-up posts describing how the malware works.

Joker Rides Again

Ingrao compared the malware to Joker, a spyware discovered in 2019 that also secretly subscribed people to premium services and stole SMS messages, among other nefarious activities.

Indeed, upon further examination, researchers from Malwarebytes believe the malware is a new variant of Joker–what Malwarebytes refers to as “Android/Trojan.Spy.Joker–Malwarebytes intelligence researcher Pieter Artnz said in a post published a day after Ingrao’s revelation.

Joker was the first major malware families hat specialized in in fleeceware, according to Malwarebytes. The trojan would hide in the advertisement frameworks utilized by the malicious apps propagating it; these frameworks aggregate and serve in-app ads.

After the apps with Joker were installed, they would show a “splash” screen, which would display the app logo, to throw off victims while performing various malicious processes in the background, such as stealing SMSes and contact lists as well as performing ad fraud and signing people up for subscriptions without their knowledge.

Difference in Execution

One difference between the original Joker and Autolycos, however, was pointed out by Ingrao.”No webview like #Joker but only http requests,” he tweeted.

“It retrieves a JSON (Java Script Object Notation) on the C2 address: 68.183.219.190/pER/y,” Ingrao said of Autolycos in a tweet. “It then executes the URLs, for some steps it executes the URLs on a remote browser and returns the result to include it in the requests.”

Malwarebytes’ Artnz also explained this difference further in his post. While Joker used webviews—or a piece of Web content, such as “a tiny part of the app screen, a whole page, or anything in between”—to do its dirty week, Autolycos avoids this by executing URLs on a remote browser and then including the result in HTTP requests, he wrote.

This helps Autolycos evade detection even more adeptly than the original Joker, according to Malwarebytes’ Artnz said. “Not requiring a WebView greatly reduces the chances that the user of an affected device notices something fishy is going on,” he wrote.

Lag Time in Discovery and App Removal

The eight apps in which Ingrao discovered Autolycos are:

  • Vlog Star Video Editor (com.vlog.star.video.editor) – 1 million downloads
  • Creative 3D Launcher (app.launcher.creative3d) – 1 million downloads
  • Wow Beauty Camera (com.wowbeauty.camera) – 100,000 downloads
  • Gif Emoji Keyboard (com.gif.emoji.keyboard) – 100,000 downloads
  • Freeglow Camera 1.0.0 (com.glow.camera.open) – 5,000 downloads
  • Coco Camera v1.1 (com.toomore.cool.camera) –  1,000 downloads
  • Funny Camera by KellyTech –  500,000 downloads
  • Razer Keyboard & Theme by rxcheldiolola – 50,000 downloads.

While Ingrao discovered the offending apps in July 2021 and reported them to Google quickly, he told BleepingComputer that the company took six months to remove six of the apps. Moreover, Google only finally removed the last two on July 13, according to Malwarebytes.

Artnz was critical of the lag time between discovery and removal, though he did not speculate as to the reason why, noting only that “the small footprint and masked usage of APIs must make it hard to find malicious apps among the multitude of apps that can be found in the Google Play Store.”

“It’s possible [the malicious apps] would still be available if the researcher hadn’t gone public because he said he got tired of waiting,” Artnz wrote.

Google did not immediately respond to request for comment on Monday. Indeed, the company has a storied history of struggling to keep malicious apps—in particular fleeceware--off its mobile app store for the Android platform.

[FREE On-demand Event: Join Keeper Security’s Zane Bond in a Threatpost roundtable and learn how to securely access your machines from anywhere and share sensitive documents from your home office. WATCH HERE.]

Suggested articles