A new set of trojanized apps spread via the Google Play Store has been observed distributing the notorious Joker malware on compromised Android devices.
Joker, a repeat offender, refers to a class of harmful apps that are used for billing and SMS fraud, while also performing a number of actions of a malicious hacker’s choice, such as stealing text messages, contact lists, and device information.
Despite continued attempts on the part of Google to scale up its defenses, the apps have been continually iterated to search for gaps and slip into the app store undetected.
“They’re usually spread on Google Play, where scammers download legitimate apps from the store, add malicious code to them and re-upload them to the store under a different name,” Kaspersky researcher Igor Golovin said in a report published last week.
The trojanized apps, taking the place of their removed counterparts, often appear as messaging, health tracking, and PDF scanner apps that, once installed, request permissions to access text messages and notifications, abusing them to subscribe users to premium services.
A sneaky trick used by Joker to bypass the Google Play vetting process is to render its malicious payload “dormant” and only activate its functions after the apps have gone live on the Play Store.
Three of the Joker-infected apps detected by Kaspersky through the end of February 2022 are listed below. Although they have been purged from Google Play, they continue to be available from third-party app providers.
- Style Message (com.stylelacat.messagearound),
- Blood Pressure App (blood.maodig.raise.bloodrate.monitorapp.plus.tracker.tool.health), and
- Camera PDF Scanner (com.jiao.hdcam.docscanner)
This is not the first time subscription trojans have been uncovered on app marketplaces. Last year, apps for the APKPure app Store and a widely-used WhatsApp mod were found compromised with a malware called Triada.
Then in September 2021, Zimperium took the wraps off an aggressive money-making scheme called GriftHorse, following it up with yet another case of premium service abuse called Dark Herring earlier this January.
“Subscription trojans can bypass bot detection on websites for paid services, and sometimes they subscribe users to scammers’ own non-existent services,” Golovin said. “To avoid unwanted subscriptions, avoid installing apps from unofficial sources, which is the most frequent source of malware.”
“The Joker malware is a clear example of the cat and mouse game that has occurred for years between security layers and the malicious actors behind it,” Richard Melick, director of threat reporting at Zimperium, said in a statement shared with The Hacker News.
“With each update, it proves time and time again that basic security and mobile device management aren’t enough. Relying on app spoofing and cloning, Joker continues to go through iterations of updates and advancements to be able to get past OEM and basic security, leaving mobile endpoints and users at risk.”