The Joker malware, which first appeared in 2017, recently made its way back to the Google Play Store by hiding inside Color Message, a popular Android app that has enjoyed over 500,000 downloads. The notorious fleeceware is designed to quietly subscribe Android device users to premium online services, warn experts.
Security researchers at PradeoOpens a new window recently discovered the Joker Malware hiding inside the Android app Color Message, which was downloaded over 500,000 times on Android devices. Noting that the infected app ‘appears to be making connections to Russian servers,’ the firm warned users to immediately uninstall it from their devices to prevent data exfiltration and monetary loss.Â
The reappearance of Joker malware took place just months after the Google Play Store kicked out several innocent-looking apps, such as Fast Magic SMS, Free CamScanner, Travel Wallpapers, Element Scanner, and Auxiliary Message. The malware reportedly piggybacked these applications to infiltrate tens of thousands of Android devices in August.Â
Retaining its ability to evade the Play Store’s security controls, the malware is notorious for stealing SMS messages and contacts data and discreetly signing up Android device users to multiple premium services, thereby draining their bank accounts.
“Joker is categorized as Fleeceware as its main activity is to simulate clicks and intercept SMS to subscribe to unwanted paid premium services unbeknownst to users,†said Pradeo. “By using as little code as possible and thoroughly hiding it, Joker generates a very discreet footprint that can be tricky to detect. In the last two years, the malware was found hiding in hundreds of apps.â€
Color Message was caught “making links to Russian servers†under the table, according to Pradeo. Despite receiving numerous one-star ratings, the app was promoted as a messaging platform that “makes texting easy, fun, and beautiful†and had an average score of 4.1 stars.
Source: PradeoOpens a new window
“Our analysis of the Color Message application through the Pradeo Security engine shows that it accesses users’ contact list and exfiltrates it over the network,†Pradeo said. “Simultaneously, the application automatically subscribes to unwanted paid services unbeknownst to users. To make it difficult to be removed, the application has the capability to hide its icon once installed.â€
See More: Log4j Flaw: Critical Zero-day Leaves Millions of Systems at Risk
The notorious spyware, which kept the cybersecurity community busy for over two years, also infected 14 Android apps in a row last month. According to Kaspersky analyst Tatyana Shishkova, the Joker virus piggybacked at least 14 Android apps to return to the Google Play store. Some of these apps enjoyed over 50,000 downloads and bore names like Easy PDF Scanner, Now QRCode Scan, Super-click VPN, and Smart TV Remote.Â
Jonathan Knudsen, a senior security strategist at Synopsys, thinks that the persistent re-emergence of Joker malware on the Google Play Store highlights a fundamental challenge. “How do you know if a piece of software is reasonably secure? While this is certainly a thorny problem for anyone running any kind of app store, it is just as much of a problem for any organization procuring any type of software,†he says.
A Secure Software Development Life Cycle (SSDLC) is the best way to improve its security and quality when software is created. “You get better software by making security a concern at every phase of software development, and integrating static analysis, software composition analysis, and other types of security testing into development processes,†Knudsen suggests.
He further points out that the problem is measuring the security and quality of software. “How do you know it works right? How do you know it doesn’t have gaping security holes? How do you know it isn’t really malware?â€
See More: Top Five Cloud Disaster Recovery Solutions for 2022’s Post-Pandemic, Cloud-First World
“The answer is a combination of understanding how the software is made and performing security testing n the finished product. In an app store, it’s impractical to understand the development processes for every app, so the store must rely on security testing to assess submitted apps. For many organizations, however, the procurement process offers untapped opportunities to assess how vendors build software, to perform rigorous testing, and to make informed decisions based on risk,†he adds.
Ilia Kolochenko, the founder of ImmuniWeb and a member of Europol Data Protection Experts Network, believes that mobile malware is becoming more sophisticated at successfully bypassing gradual security scans and checks at Google Play. This is the reason why Apple now argues that app sideloading is a gift for cybercriminals.Â
“Android 11 is a fairly secure mobile OS with security and privacy mechanisms comparable to iOS, however, just a small fraction of mobile users have it installed. Millions of Android users are still using obsolete OS versions susceptible to countless vulnerabilities that enable malware to take full control over the devices. Worse, some mobile devices cannot be updated anymore due to vendor’s restrictions or inaction.Â
“But even an up-to-date Android is not a panacea, thus users should selectively install mobile apps from trusted vendors and double-check that the application they install is the official one and not a copycat with malware injected inside, simulating a famous brand name. Apps from unofficial stores or Internet websites should never be installed unless the user understands what s/he is doing,†Kolochenko adds.
Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!