A malicious Android application with over 500,000 downloads from the Google Play app store has been discovered to be infected with malware that secretly sends users’ contact details to an attacker-controlled server and registers them up for unwanted paid premium memberships without their knowledge.
The newest Joker malware was discovered in Color Message (“com.guo.smscolor.amessage”), a messaging-focused app that has subsequently been withdrawn from the official app store. It has also been seen faking clicks to make cash from fraudulent adverts and connecting to Russian servers.
The mobile security firm Pradeo explained that Color Message accesses users’ contact information and exfiltrates it across the network [and] automatically subscribes to undesirable premium services. Once installed, the program can disguise its icon, making it difficult to delete.
Color Message’s developers state in their terms and conditions that they are devoted to ensuring the software is valuable and efficient. Thus, they reserve the right to make modifications to the app at any time and for any reason, as well as to charge for its services. They’ll never charge you for the app or its services unless they make it crystal clear what you’re paying for.
Joker has been a notable fleeceware since its discovery in 2017, infamous for various harmful actions, including billing abuse and intercepting SMS messages, contact details, and device information without users’ knowledge.
The rogue applications have continued to use a bombardment of evasion strategies to get beyond Google Play restrictions, to the point that Android’s Security and Privacy Team has declared malware authors to be using nearly every known cloaking and obfuscation method in an attempt to avoid detection.