A new batch of trojanized apps distributed via the Google Play Store has been observed distributing the notorious Joker malware on compromised Android devices.
Joker, a repeat offender, refers to a class of malicious apps that are used for billing and SMS fraud while also performing a variety of actions of a malicious hacker’s choice, such as: B. stealing text messages, contact lists and device information.
Despite continued attempts by Google to bolster its defenses, the apps have been continuously iterated looking for loopholes and slipping undetected into the App Store.
“They are usually distributed on Google Play, where scammers download legitimate apps from the store, add malicious code to them and re-upload them to the store under a different name,” said Kaspersky researcher Igor Golovin in a report published last week.
The trojanized apps that replace their remote counterparts often appear as messaging, health tracking, and PDF scanner apps that, once installed, request permissions to access text messages and notifications and misuse them to trick users into premium services subscribe to.
A sneaky trick used by Joker to bypass Google Play’s verification process is to make its malicious payload “dormant” and enable its features only after the apps go live on the Play Store.
Three of the Joker infected apps detected by Kaspersky up to the end of February 2022 are listed below. Although they have been removed from Google Play, they are still available from third-party app providers.
- style message (com.stylelacat.messagearound),
- blood pressure app (blood.maodig.raise.bloodrate.monitorapp.plus.tracker.tool.health) and
- Camera PDF Scanner (com.jiao.hdcam.docscanner)
This isn’t the first time subscription Trojans have been spotted on app marketplaces. Last year, apps for the APKPure App Store and a widely used WhatsApp mod were compromised with malware called Triada.
Then, in September 2021, Zimperium launched an aggressive money-making scheme called GriftHorse, followed by another case of premium service abuse called Dark Herring earlier this January.
“Subscription Trojans can bypass bot detection on websites for paid services, and sometimes they subscribe users to scammers’ non-existent services,” Golovin said.
“To avoid unwanted subscriptions, avoid installing apps from unofficial sources, which are the most common source of malware.”
Also, while downloading apps from official app stores, users are advised to read the reviews, check the legitimacy of the developers, the terms of service and only grant permissions necessary for the intended functions to run.