Security

16 apps on Google Play Store caught distributing Joker malware

After removing six apps infected with the Joker malware earlier in Sep, Google has now removed 16 more apps from its Play Store.

The Joker malware, a billing-fraud strain of malware, has proven to be a persistent threat for Google Android. Despite the company’s relentless efforts, it’s still found in apps available on the Play Store.

In September, Google removed six such apps, which were infected with the Joker malware, as identified by Pradeo cybersecurity firm. These apps had a total of 200,000 downloads but in July 2020, the Joker malware was once again witnessed on Play Store.

See: Nasty malware duo pre-installed on thousands of cheap Android phones

Now, according to a report from cybersecurity firm Zscaler, Google has removed 16 more apps for the same reason. These apps were uploaded to the Play Store in September and had 120,000 downloads.

Logos of malicious apps (Image: Zscaler)

Zcaler’s Viral Gandhi explained that Joker is a spyware that can simulate clicks. It is called fleeceware, designed for stealing contact lists, SMS messages, and device information from the phone, apart from discreetly subscribing for “premium wireless application protocol (WAP) services.”

Joker malware is difficult to detect since it used minimal code. Zscaler researchers tried to understand how it remains so evasive and its payload deployment variations. They learned that the final payload is delivered via a direct URL in most of its variants, which the C&C server sends to the apps. The apps already have the C&C server address hidden inside their code with string obfuscation.



The apps contacted the C&C server soon after installing and then accepting the URL containing the final payload configuration in a JSON file. The file also includes information on the class name it needs to execute itself from the payload. After receiving the configuration, the app downloads and executed the final payload.

Some apps use single-step download mechanisms where an encrypted stager payload URL is encoded in the code. So after infecting the device, instead of downloading the final payload, the app downloads the encrypted stager payload to retrieve the payload and execute it.

There is a third method that some of the apps used for the execution of the payload. It is a complicated method involving an additional step before retrieving the payload from the C&C server.

See: Camera privacy bug found in Firefox Android in 2019 hasn’t been fixed yet

Researchers also noted that despite several variations, the Joker payload remained the same throughout and performed similar functions.

We recommend paying close attention to the permission list in the apps that you install on your Android device. Always watch out for the risky permissions related to SMS, call logs, contacts, and more. Reading the comment or reviews on the app page also helps identify compromised apps, researcher said in a blog post.

Here’s a full list of the apps compiled by researchers:

Private SMS
Care Message
Part Message
Blue Scanner
Desire Translate
Direct Messenger
Paper Doc Scanner
Tangram App Lock
Style Photo Collage
Meticulous Scanner
All Good PDF Scanner
Talent Photo Editor - Blur focus
Mint Leaf Message-Your Private Message
Hummingbird PDF Converter - Photo to PDF
Unique Keyboard - Fancy Fonts & Free Emoticons
One Sentence Translator - Multifunctional Translator

Zscaler notified Google about the apps infected with Joker malware, and the company’s IT team promptly removed them.

You Might Also Like