Joker Malware Is No Laughing Matter As Google Play Removes 17 Apps For Billing Fraud
Joker malware has existed for several years, but is still quite persistent. The Zscaler ThreatLabZ research team found seventeen suspicious apps in the Google Play store. The apps were uploaded to Google Play this month and were downloaded over 120,000 times. Google has since removed the following apps:
- All Good PDF Scanner
- Mint Leaf Message-Your Private Message
- Unique Keyboard - Fancy Fonts & Free Emoticons
- Tangram App Lock
- Direct Messenger
- Private SMS
- One Sentence Translator - Multifunctional Translator
- Style Photo Collage
- Meticulous Scanner
- Desire Translate
- Talent Photo Editor - Blur focus
- Care Message
- Part Message
- Paper Doc Scanner
- Blue Scanner
- Hummingbird PDF Converter - Photo to PDF
- All Good PDF Scanner
This discovery prompted the research team to study how these malicious apps manage to get and remain on the Google Play store. They noted that the above apps employed three kinds of methods-- direct download, one-stage download, and two-stage download. In the “direct download” scenario, the final payload was “delivered via a direct URL received from the command and control (C&C) server.” In the second scenario, a stager payload was used to get the final payload. In the final scenario a stage one payload downloaded a stage two payload. This stage two payload then loaded the final payload. All three variants hid the urls from Google with obfuscation techniques and download the same final payload. You can find more details about these Joker variants here.
What can users do to avoid downloading this kind of malicious app? The research team recommends that users always pay attention to the kinds of permissions that the app is asking for. They particularly suggest that users should be wary if an app that has no reason to access your SMS, call logs, contacts, etc., but is doing so. We would personally recommend removing any of the above-mentioned apps immediately, and of course keeping an eye out for weird charges on your bank account and billing statements.
Researchers at Check Point Security also discovered eleven apps in the Google Play Store that were infected with Joker malware. Like the Zscaler ThreatLabZ research team, the Check Point Security researchers also bemoaned these apps' ability to circumvent Google’s vetting process. These apps were all thankfully removed at the end of April 2020.