Warning over new Android spyware, dubbed Joker, found in 24 malicious apps in Google's Play store
Joker malware can read SMS messages, contact lists and other information on victims' Android handsets
Researchers have discovered new Android spyware, dubbed Joker, hiding in 24 malicious apps in Google's Play store, with more than 472,000 installs in total.
The spyware was first noticed in June 2019, when it was found employing stealth tactics to infect the phones of potential targets in order to steal their private data, including SMS messages, contact lists, device information, and several other details.
In addition, the malware was also observed to be signing victims up for premium service subscriptions in efforts to drain money from their wallets.
This malware kit stands out as a small and a silent one. It is using as little Java code as possible and thus generates as little footprint as possible
"The described trojan employs notably stealthy tactics to perform quite malicious activities on Google Play, while hiding within the advertisement frameworks and not exposing too much of its malicious code out in the open," said security researcher Aleksejs Kuprins.
"This malware kit stands out as a small and a silent one. It is using as little Java code as possible and thus generates as little footprint as possible," he added.
The Joker malware derives its name from one of its command-and-control servers.
According to Kuprins, after any one of the 24 malicious apps is installed by an Android user, the advertisement framework shows a splash screen displaying the app logo. In the meantime, the ad framework also runs several other malicious processes in the background, for example, downloading the second-stage Dalvik Executable file (DEX) on the handset.
The file, which is a code file for the Android operating system, drops the payload with capabilities to read contact lists, SMS messages, and other device info available on the device.
In many cases, the Trojan was found to be automatically signing up victims for premium service subscriptions for various services. For example, it silently signs-up victims from Denmark for services costing 50 Danish kroner (about €7) per week.
To avoid detection, the spyware receives dynamic code and commands over HTTP from operators, and then runs the code using JavaScript-to-Java callbacks.
So far, Joker malware has been observed targeting users in 37 countries, including the US, UK, France, Germany, Australia and China, using country codes.
It executes the second-stage payload on a handset containing a SIM card from one of the 37 target countries.
Google says it removed all 24 malicious apps from the Play Store after being notified about them by the security researchers.
However, Joker is not the first spyware hiding in apps available on Google's official app marketplace.
In July, security researchers said they had found more than 1,000 Android apps, including apps from well-known publishers, such as Disney, circumventing Android's permissions in order to share personally identifiable data from users' devices.
Earlier in 2017, Google cracked down on a large number of apps in its Android Play Store that lacked a proper privacy policy or failed to protect sensitive data.