17 apps removed from Play store spotted Joker malware

joker malware

Google has long been locked in a battle with cybercriminals who create and submit malicious apps to the Play store that somehow sneak past the company's protections. One especially pervasive and problematic piece of malware is the one dubbed Joker, aka Bread. In the latest round, Google was forced to put the kibosh on 17 malicious apps uploaded in September that tried to infect unsuspecting users with the Joker malware.

JOKER IS THE PLAY STORE'S BANE

Google removed six such apps at the start of the month after they've been spotted and reported by security researchers from Pradeo. Before that, in July, Google removed another batch of Joker-infected apps discovered by security researchers from Anquanke. This batch had been active since March and had managed to infect millions of devices.

The firm also mentioned that the Joker malware also steals device information and silently signs up into the victim's smartphone for premium wireless application protocol (WAP) services. This information was given by a Zscaler security researcher who also explained how this virus works until its final stage of billing using the victims' WAP services.

Following its internal procedures, Google removed the apps from the Play Store, used the Play Protect service to disable the apps on infected devices, but users still need to manually intervene and remove the apps from their devices. 

The 17 apps included the following:

  1. All Good PDF Scanner
  2. Mint Leaf Message-Your Private Message
  3. Unique Keyboard - Fancy Fonts & Free Emoticons
  4. Tangram App Lock
  5. Direct Messenger
  6. Private SMS
  7. One Sentence Translator - Multifunctional Translator
  8. Style Photo Collage
  9. Meticulous Scanner
  10. Desire Translate
  11. Talent Photo Editor - Blur focus
  12. Care Message
  13. Part Message
  14. Paper Doc Scanner
  15. Blue Scanner
  16. Hummingbird PDF Converter - Photo to PDF
  17. All Good PDF Scanner

 Some malicious apps contain a stager payload, which retrieves and downloads the final payload URL from the code and then executes it on the infected device. In the latest case, the malicious apps incorporated the stager payload URL directly in their code using encryption or another method to disguise it. The final stage payload then executed the Joker malware. But there were still a total of around 120k+ downloads for the identified malicious apps, as Zscaler noted in a blog post.