A new collection of trojanized applications has been discovered, spreading the renowned Joker malware on infected Android devices via the Google Play Store. Joker is a serial offender who refers to a type of malicious program used for billing and SMS fraud and a variety of other malicious hacking activities, including collecting text messages, contact lists, and device information.
Despite Google’s best efforts to beef up its security, the applications have been constantly iterated to look for loopholes and get into the app store unnoticed. “They’re usually spread on Google Play, where scammers download legitimate apps from the store, add malicious code to them and re-upload them to the store under a different name,” Kaspersky researcher Igor Golovin said in a recently published report.
The trojanized applications, which take the place of their deleted counterparts, frequently pose as messaging, health tracking, and PDF scanner apps that, once installed, ask for permission to read text messages and notifications, which are then used to enroll users in premium subscriptions. Joker uses a clever way to get around the Google Play screening process by making its harmful payload “dormant” and activating it only after the applications have gone live on the Play Store.
The following are three Joker-infected applications discovered by Kaspersky at the end of February 2022. They are still available via third-party app vendors, despite being removed from Google Play.
- Style Message (com.stylelacat.messagearound),
- Blood Pressure App (blood.maodig.raise.bloodrate.monitorapp.plus.tracker.tool.health), and
- Camera PDF Scanner (com.jiao.hdcam.docscanner)
This isn’t the first time subscription trojans have been seen on app stores. Last year, spyware known as Triada was discovered in programs for the APKPure app store and a frequently used WhatsApp mod. Then, in September 2021, Zimperium revealed GriftHorse, an aggressive money-making scam, followed by Dark Herring, yet another example of premium service abuse, earlier this January.
“Subscription trojans can bypass bot detection on websites for paid services, and sometimes they subscribe users to scammers’ own non-existent services,” said Golovin. “To avoid unwanted subscriptions, avoid installing apps from unofficial sources, which is the most frequent source of malware.”
Even when installing programs from official app stores, users should read the reviews, verify the developers’ identity, read the terms of service, and only provide permissions required to execute the intended activities.