Google Removes 17 Apps From Play Store With Joker Malware for WAP Billing Fraud

Those apps with over 120,000 downloads evaded Google's scrutiny with a dropper technique that could download the malware later through a multi-stage process

Joker malware has started to become a nemesis for Google's Play Store. Since January 2020, Google has removed over 1,000 apps and it has done so for another 17 malicious apps with over 120,000 downloads.

These 17 apps were identified by security researchers from Zscaler, this week as they were "designed to steal SMS messages, contact lists, and device information." These apps could also sign up to premium wireless application protocol (WAP) services without the victims noticing, Viral Gandhi Zscaler's security researcher said.

android malware attacks
Joker malware has managed to sneak past Google's scrutiny and continues to be a headache for the tech giant Dado Ruvic/Illustration/Reuters

With Joker malware spreading like wildfire, security researchers have been constantly monitoring such potential apps. Gandhi said the team had seen regular uploads to the Play Store despite increased scrutiny from Google. Zscaler team promptly informed Google about their findings and the tech giant removed the apps. As for users who have it installed, Google has disabled the apps using Play Protect service. However, users have to manually uninstall the apps to get rid of them completely.

Joker Nemesis

The way Joker became a nemesis for Batman in DC comics, the malware of the same name has been finding ways to breach Google's Play Store security. Zscaler dug deep to find out how did all those apps manage to sneak past Google's scrutiny.


At first, the apps seem moderately harmless although it asks for various permission even if it doesn't require them. Once installed, it doesn't immediately start malicious acts as Play Protect usually scans the app. But in a few days, as Google doesn't run scans, the apps start downloading the malware payload. The technique such malware authors are using is called "droppers" where a device is infected through a multi-stage process, reported
ZDNet.

Zscaler researcher found that in some of the Joker variants, the final payload was delivered through a direct URL from the command and control (C&C) server. In this process, the apps are uploaded to the Play Store without the malicious code. But the apps have the "C&C server address hidden in the code with string obfuscation," Zscaler observed.

Android Apps
Google removed 17 apps with over 120,000 downloads that were uploaded in September Zscaler

In another scenario, malware authors use a different technique. Instead of providing the C&C address to download the final payload of the malware, they provide a URL to download the stager payload. So, when a malicious app is installed, it downloads stager which in turn downloads the final payload. The problem is that since the stager payload is encrypted using Advanced Encryption Standard (AES), it is difficult to check for malicious codes.

The other problem is such apps are present on third-party app stores, making it difficult for Google to protect Android users. However, researchers say that noticing app permission while installing apps would help in identifying such malware.

"Always watch out for the risky permissions related to SMS, call logs, contacts, and more. Reading the comment or reviews on the app page also helps identify compromised apps," Gandhi said.

Related topics : Cybersecurity
READ MORE