Joker Spyware Plagues More Google Play Apps

joker malware google play

The six malicious apps have been removed from Google Play, but could still threaten 200,000 installs.

Google has deleted six apps from its Google Play marketplace that were infecting users with the Joker malware (a.k.a. Bread).

Together, the apps – which tout functionalities ranging from text messaging to emoji wallpaper – account for nearly 200,000 installs, researchers with Pradeo said in a post this week. As of Wednesday, Google confirmed with Threatpost that all infected applications have been removed from Google Play, but researchers said that they are still installed on the devices of their users, and urged users to immediately delete the apps.

“Most apps embedding Joker malware are programmed to load and execute external code after being published on the store,” Roxane Suau, with Pradeo, told Threatpost. “First, these apps are riddled with permission requests and submitted to Google Play by their developers. They get approved, published and installed by users. Once running on users’ devices, they automatically download malicious code. Then, they leverage their numerous permissions to execute the malicious code.”

The apps found with malware are: Convenient Scanner 2 (with 100,000 installs), Separate Doc Scanner (with 50,000 installs), Safety AppLock (with 10,000 installs), Push Message-Texting & SMS (with 10,000 installs), Emoji Wallpaper (with 10,000 installs) and Fingertip GameBox (with 1,000 installs). More information on these apps can be found here.

The apps were expressly developed by individuals who programmed them to act maliciously, Suau told Threatpost. Suau said that looking at the apps’ ratings revealed several red flags, including reviews that say the apps are fake (see graphic, below).

malicious joker apps

Credit: Pradeo

Joker is a billing-fraud family of malware (which researchers categorize as “fleeceware”) that emerged in 2017 but began to ramp up in 2019.

It advertises itself as a legitimate app, but once installed, simulates clicks and intercepts SMS messages to subscribe victims to unwanted, paid premium services (unbeknownst to them), researchers said.

Malicious apps spreading the Joker have continued to skirt Google Play’s protections since 2019, because the malware’s author kept making small changes to its code.

“By using as little code as possible and thoroughly hiding it, Joker generates a very discreet footprint that can be tricky to detect,” Suau said.

In 2020, the Joker malware has continued to thrive on Google Play. In July, Google removed 11 malicious Android apps from the store that were spreading the malware, and in January, researchers revealed that Google had removed 17,000 Android apps at that point that had been conduits for the Joker malware.

Hank Schless, senior manager for Security Solutions at Lookout, said that researchers continue to see Joker popping up in Android apps — and now with workforces going remote due to the current, ongoing pandemic, the threat of Joker being spread via productivity apps is increasing.

“Because of how frequently Joker and other discreet malware appear in a wide variety of apps, mobile users need to leverage mobile security in order to keep themselves and their organizations safe,” he said via email. “Especially in a time of global remote work, mobile devices and tablets are used for both work and personal reasons. If you download an app infected with Joker or other malware, you’re giving the threat actor access to your personal data as well as any company data you access from that device.”

The re-emergence of Joker malware in the Google Play Store also highlights the fundamental challenge of how users can know if a piece of software is reasonably secure, Jonathan Knudsen, senior security strategist with Synopsys said.

“In an app store, it’s impractical to understand the development processes for every app, so the store must rely on security testing to assess submitted apps,” he said. “For many organizations, however, the procurement process offers untapped opportunities to assess how vendors build software, to perform rigorous testing, and to make informed decisions based on risk.”

On Wed Sept. 16 @ 2 PM ET: Learn the secrets to running a successful Bug Bounty Program. Register today for this FREE Threatpost webinar “Five Essentials for Running a Successful Bug Bounty Program“. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this LIVE webinar.

Suggested articles