Google removed 17 Android apps from the official Play Store this week. The 17 apps, identified by Zscaler’s security researchers, were infected with the Joker malware (also known as Bread).
“This spyware is designed to steal SMS messages, contact lists and device information, along with silent victim registration for premium Wireless Application Protocol (WAP) services,” Zscaler security researcher Viral Gandhi said this week.
The 17 malicious apps were uploaded to the Play Store this month and didn’t have a chance to get a following, having been downloaded more than 120,000 times before being detected.
The names of the 17 apps were:
- All good PDF scanner
- Mint Leaf Message: Your private message
- Unique keyboard – fancy fonts and free emoticons
- Tangram app lock
- Direct Messenger
- Private SMS
- A Sentence Translator – Multifunctional Translator
- Photo Collage Style
- Meticulous scanner
- Desire Translate
- Talent Photo Editor – Blurs the focus
- Message of care
- Partial message
- Paper Doc Scanner
- Blue scanner
- Hummingbird PDF Converter – Photo to PDF
- All good PDF scanner
Following its internal procedures, Google removed apps from the Play Store, used the Play Protect service to disable apps on infected devices, but users still have to manually intervene and remove apps from their devices.
Joker is the bane of the Play Store
But this recent removal also marks the third such action by Google’s security team against a batch of Joker-infected apps in recent months.
Google removed six of these apps earlier this month after they were spotted and flagged by security researchers at Pradeo.
Before that, in July, Google removed another batch of Joker-infected apps discovered by security researchers at Anquanke. This batch had been running since March and managed to infect millions of devices.
The way these infected apps usually manage to make their way past Google’s defenses and reach the Play Store is through a technique called a “dropper,” where the victim’s device is infected in a multi-step process.
The technique is simple enough, but difficult to defend, from Google’s point of view.
Malware authors start by cloning the functionality of a legitimate app and uploading it to the Play Store. This app is fully functional, requires access to dangerous permissions, but does not perform any malicious action when it is first run.
Since malicious actions are usually delayed by hours or days, Google’s security scans don’t detect the malicious code, and Google usually allows the app to be listed in the Play Store.
But once on a user’s device, the app eventually downloads and “drops” (hence the name dropper, or loaders) other components or apps on the device that contain Joker malware or other strains of malware.
The Joker family, which Google tracks internally as Bread, has been one of the most avid users of the dropper technique. This, in turn, gave Joker access to the Play Store, the holy grail of most malware operations, more than many other malware groups.
In January, Google released a blog post describing Joker as one of the most persistent and advanced threats it has faced in recent years. Google said its security teams have removed more than 1,700 apps from the Play Store since 2017.
But Joker is much more widespread than that, also being present in apps loaded on third-party Android app stores.
All in all, Anquanke claimed to have detected more than 13,000 Joker samples since the malware was first discovered in December 2016.
Protecting themselves from Joker is difficult, but if users show some caution when installing apps with broad permissions, they can avoid getting infected.
In other Android security news
Bitdefender has reported a number of malicious apps to the Google security team. Some of these apps are still available on the Play Store. Bitdefender did not disclose the names of the apps, only the names of the developer accounts from which they were loaded. Users who have installed apps from these developers should remove them immediately.
ThreatFabric also released a report on the disappearance of the Cerberus malware and the rise of the Alien malware, which contains features to steal credentials for 226 applications.