Over 500,000 Android Users Downloaded a New Joker Malware App from Play Store
A malicious Android app with over 500,000 downloads from the Google Play app store has been discovered to be hosting malware that stealthily exfiltrates users’ contact lists to an attacker-controlled server and unknowingly signs users up for unwanted paid premium subscriptions.
The latest Joker malware was discovered in Color Message (“com.guo.smscolor.amessage”), a messaging-focused app that has since been removed from the official app marketplace. Furthermore, it has been observed simulating clicks in order to generate revenue from malicious ads and connecting to Russian servers.
Color Message “accesses users’ contact lists and exfiltrates them over the network [and] automatically subscribes to unwanted paid services,” according to Pradeo, a mobile security firm. “The application has the capability of hiding its icon once installed to make it difficult to remove.”
“We are [sic] committed to making the app as useful and efficient as possible,” the Color Message developers state in their terms and conditions. “As a result, we reserve the right to modify the app or charge for its services at any time and for any reason. We will never charge you for the app or its services unless we make it very clear what you are paying for.”
Since its discovery in 2017, Joker has been a notorious fleeceware infamous for a variety of malicious activities, including billing fraud and intercepting SMS messages, contact details, and device information without the users’ knowledge.
The malware authors “have at some point used just about every cloaking and obfuscation technique under the sun in an attempt to go undetected,” according to Android’s Security and Privacy Team, who said the rogue apps “have at some point used just about every cloaking and obfuscation technique under the sun in an attempt to go undetected.”
