Cybersecurity researchers have unmasked six applications on the Google Play Store with a combined total of over 200,000 downloads in yet another example of the highly persistent malware that has been plaguing Android users for the past three years.
Joker malware pretends to be a legitimate app in the Play Store but after installation, conducts billing fraud by either sending SMS messages to a premium rate number or using the victim’s account to repeatedly make purchases using WAP billing, which also lines the pockets of Joker’s operators.
The activity occurs behind the scenes and without any input required from the user, meaning they often won’t find out that they’ve been scammed until they receive a phone bill full of additional charges.
Google has removed over 1,700 apps containing Joker malware from the Play Store since 2017, but the malware keeps re-emerging and now six new malicious apps have been identified by researchers at cybersecurity company Pradeo.
Of the six apps uncovered as delivering Joker, one called ‘Convenient Scanner 2’ has been downloaded over 100,000 times, while ‘Separate Doc Scanner’ has been downloaded by 50,000 users.
Another app, ‘Safety AppLock’, claims to ‘protect your privacy’ and has been installed 10,000 times by unfortunate victims who will eventually find that the malicious download harms, rather than protects, them.
Two more apps have also received 10,000 downloads each – ‘Push Message-Texting&SMS’ and ‘Emoji Wallpaper’, while one named Fingertip GameBox has been downloaded 1,000 times.
The six apps have now been removed from the Play Store after being disclosed to Google by Pradeo. ZDNet has attempted to contact Google for comment; no response had been received at the time of publication.
Users who have any of the applications on their Android smartphone are urged to remove them immediately.
The six apps are just the latest in a long line of malicious downloads that the group behind Joker – also known as Bread – have attempted to sneak into the Play Store.
A previous blog post by Google’s Android security and privacy team describes Joker as one of the most persistent threats the Play Store faces, with the attackers behind it having “at some point used just about every cloaking and obfuscation technique under the sun in an attempt to go undetected”.
They also note that the sheer number of attempted submissions to the Play Store is one of the reasons it has remained so successful, with up to 23 different apps submitted a day during peak times.
In many cases, the malicious apps have been able to bypass the defences of the Play Store by submitting clean apps to begin with, only to add malicious functionalities at a later date.
“These apps are riddled with permission requests and submitted to Google Play by their developers. They get approved, published and installed by users. Once running on users’ devices, they automatically download malicious code,” Pradeo’s Roxane Suau told ZDNet.
“Then, they leverage their numerous permissions to execute the malicious code. Security checks of these apps’ source code as it is published on the store do not detect the malware, because it’s not there yet,” she added.
The authors of Joker attempt to encourage downloads of the malware by entering fake positive reviews – although many of the apps identified by Pradeo also have many negative reviews by users who’ve fallen victim to the malware, something that users should look out for when downloading apps.
The individual or group behind Joker is highly likely to still be active and attempting to trick more users into downloading malware in order to continue the fraud operation.
Google has removed 56 Android applications from the official Google Play Store that the company says were part of an ad fraud botnet.
Named Terracotta, this botnet was discovered by White Ops, a security firm specialized in identifying bot behavior.
White Ops researchers said they’ve been tracking Terracotta since late 2019 when the botnet seems to have become active.
Per the researchers, Terracotta operated by uploading apps on the Google Play Store that promised users free perks if they installed the applications on their devices.
The apps usually offered free shoes, sneakers, boots, and sometimes tickets, coupons, and expensive dental treatments. Users were told to install the app and then wait two weeks to receive the free products, during which time they had to leave the app installed on their smartphone.
However, the apps downloaded and ran a modified version of WebView, a slimmed-down version of Google Chrome. The Terracotta gang launched the modified WebView browser, hidden from the user’s view, and performed ad fraud by loading ads and gaining revenue from fake ad impressions.
The White Ops team described Terracotta as both complex and massive. It was complex because it used advanced techniques to avoid detection from the defrauded ad networks, and was massive because of the scale at which it operated.
For example, White Ops said that in the final week of June alone, the Terracotta botnet silently loaded more than two billion ads inside 65,000 infected smartphones alone.
Currently, after Google’s intervention, the botnet’s presence on the Play Store has been reduced, but not removed altogether, with some devices still appearing to be infected.
Some users might think that because the malicious Terracotta apps were defrauding ad networks and not the users directly, this botnet might not be a problem for them, but, on infected devices, the malicious apps would often wear out batteries and consume mobile bandwidth traffic due to the fact the malicious apps are running around the clock.
A list of Terracotta-infected apps is available in this PDF file.
These apps have been taken down from the Play Store and Google has disabled them on all users’ devices, stopping their malicious behavior.
“Due to our collaboration with White Ops investigating the TERRACOTTA ad fraud operation, their critical findings helped us connect the case to a previously-found set of mobile apps and to identify additional bad apps. This allowed us to move quickly to protect users, advertisers, and the broader ecosystem – when we determine policy violations, we take action,” a Google spokesperson said.
For security researchers, Android app developers, and software engineers, White Ops has published an in-depth technical report detailing Terracotta’s inner-workings.