Google removes 17 Android apps caught engaging in WAP billing fraud
Securing Your Mobile Enterprise
Mobile devices continue their march toward becoming powerful productivity machines. But they are also major security risks if they aren’t managed properly. We look at the latest wisdom and best practices for securing the mobile workforce.
Google has removed this week 17 Android applications from the official Play Store. The 17 apps, spotted by security researchers from Zscaler, were infected with the Joker (aka Bread) malware.
“This spyware is designed to steal SMS messages, contact lists, and device information, along with silently signing up the victim for premium wireless application protocol (WAP) services,” Zscaler security researcher Viral Gandhi said this week.
The 17 malicious apps were uploaded on the Play Store this month and didn’t get a chance to gain a following, having been downloaded more than 120,000 times before being detected.
The names of the 17 apps were:
All Good PDF ScannerMint Leaf Message-Your Private MessageUnique Keyboard – Fancy Fonts and Free EmoticonsTangram App LockDirect MessengerPrivate SMSOne Sentence Translator – Multifunctional TranslatorStyle Photo CollageMeticulous ScannerDesire TranslateTalent Photo Editor – Blur focusCare MessagePart MessagePaper Doc ScannerBlue ScannerHummingbird PDF Converter – Photo to PDFAll Good PDF Scanner
Following its internal procedures, Google removed the apps from the Play Store, used the Play Protect service to disable the apps on infected devices, but users still need to manually intervene and remove the apps from their devices.
Joker is the Play Store’s bane
But this recent takedown also marks the third such action from Google’s security team against a batch of Joker-infected apps over the past few months.
Google removed six such apps at the start of the month after they’ve been spotted and reported by security researchers from Pradeo.
Before that, in July, Google removed another batch of Joker-infected apps discovered by security researchers from Anquanke. This batch had been active since March and had managed to infect millions of devices.
The way these infected apps usually manage to sneak their way past Google’s defenses and reach the Play Store is through a technique called “droppers,” where the victim’s device is infected in a multi-stage process.
The technique is quite simple, but hard to defend against, from Google’s perspective.
Malware authors begin by cloning the functionality of a legitimate app and uploading it on the Play Store. This app is fully functional, requests access to dangerous permissions, but also doesn’t perform any malicious actions when it’s first run.
Because the malicious actions are usually delayed by hours or days, Google’s security scans don’t pick up the malicious code, and Google usually allows the app to be listed on the Play Store.
But once on a user’s device, the app eventually downloads and “drops” (hence the name droppers, or loaders) other components or apps on the device that contain the Joker malware or other malware strains.
The Joker family, which Google tracks internally as Bread, has been one of the most ardent users of the dropper technique. This, in turn, has allowed Joker to make it on the Play Store — the Holy Grail of most malware operations — more than many other malware groups. In January, Google published a blog post where it described Joker as one of the most persistent and advanced threats it has dealt with in the past years. Google said that its security teams had removed more than 1,700 apps from the Play Store since 2017.
But Joker is far more widespread than that, being also found in apps uploaded on third-party Android app stores as well.
All in all, Anquanke said it detected more than 13,000 Joker samples since the malware was first discovered in December 2016.
Protecting against Joker is hard, but if users show some caution when installing apps with broad permissions, they can avoid getting infected.
In other Android security news
Bitdefender reported a batch of malicious apps to Google’s security team. Some of these apps are still available on the Play Store. Bitdefender didn’t reveal the name of the apps, but only the names of the developer accounts from which they were uploaded. Users who have installed apps from these developers should remove them right away.
ThreatFabric also published a report about the demise of the Cerberus malware and the rise of the Alien malware, which contains features to steal credentials for 226 applications.
Updated on September 28 to add that after this article’s publication, both Zimperium and Kaspersky also published reports about new Joker malware strains, confirming a recent spike in Joker activity, as reported by Zscaler, Pradeo, and Anquanke.