Google has removed this week 17 Android applications from the official Play Store. The 17 apps, spotted by security researchers from Zscaler, were infected with the Joker (aka Bread) malware.
"This spyware is designed to steal SMS messages, contact lists, and device information, along with silently signing up the victim for premium wireless application protocol (WAP) services," Zscaler security researcher Viral Gandhi said this week.
The 17 malicious apps were uploaded on the Play Store this month and didn't get a chance to gain a following, having been downloaded more than 120,000 times before being detected.
The names of the 17 apps were:
- All Good PDF Scanner
- Mint Leaf Message-Your Private Message
- Unique Keyboard - Fancy Fonts and Free Emoticons
- Tangram App Lock
- Direct Messenger
- Private SMS
- One Sentence Translator - Multifunctional Translator
- Style Photo Collage
- Meticulous Scanner
- Desire Translate
- Talent Photo Editor - Blur focus
- Care Message
- Part Message
- Paper Doc Scanner
- Blue Scanner
- Hummingbird PDF Converter - Photo to PDF
- All Good PDF Scanner
Following its internal procedures, Google removed the apps from the Play Store, used the Play Protect service to disable the apps on infected devices, but users still need to manually intervene and remove the apps from their devices.
Joker is the Play Store's bane
But this recent takedown also marks the third such action from Google's security team against a batch of Joker-infected apps over the past few months.
Before that, in July, Google removed another batch of Joker-infected apps discovered by security researchers from Anquanke. This batch had been active since March and had managed to infect millions of devices.
The way these infected apps usually manage to sneak their way past Google's defenses and reach the Play Store is through a technique called "droppers," where the victim's device is infected in a multi-stage process.
The technique is quite simple, but hard to defend against, from Google's perspective.
Malware authors begin by cloning the functionality of a legitimate app and uploading it on the Play Store. This app is fully functional, requests access to dangerous permissions, but also doesn't perform any malicious actions when it's first run.
Because the malicious actions are usually delayed by hours or days, Google's security scans don't pick up the malicious code, and Google usually allows the app to be listed on the Play Store.
But once on a user's device, the app eventually downloads and "drops" (hence the name droppers, or loaders) other components or apps on the device that contain the Joker malware or other malware strains.
The Joker family, which Google tracks internally as Bread, has been one of the most ardent users of the dropper technique. This, in turn, has allowed Joker to make it on the Play Store -- the Holy Grail of most malware operations -- more than many other malware groups. In January, Google published a blog post where it described Joker as one of the most persistent and advanced threats it has dealt with in the past years. Google said that its security teams had removed more than 1,700 apps from the Play Store since 2017.
But Joker is far more widespread than that, being also found in apps uploaded on third-party Android app stores as well.
All in all, Anquanke said it detected more than 13,000 Joker samples since the malware was first discovered in December 2016.
Protecting against Joker is hard, but if users show some caution when installing apps with broad permissions, they can avoid getting infected.
In other Android security news
Bitdefender reported a batch of malicious apps to Google's security team. Some of these apps are still available on the Play Store. Bitdefender didn't reveal the name of the apps, but only the names of the developer accounts from which they were uploaded. Users who have installed apps from these developers should remove them right away.
Updated on September 28 to add that after this article's publication, both Zimperium and Kaspersky also published reports about new Joker malware strains, confirming a recent spike in Joker activity, as reported by Zscaler, Pradeo, and Anquanke.