17 Google Play Store apps infected with malware were forcibly removed

This week Google removed 17 Android apps from the official Play Store. All 17 apps were infected with Joker malware, according to Viral Gandhi, a security researcher at Zscaler. “This spyware is designed to steal text messages, contact lists, and device information, while quietly registering advanced wireless application protocol (WAP) services for victims,” he said.

The 17 apps are:

All Good PDF Scanner

Mint Leaf Message-Your Private Message

Unique Keyboard – Fancy Fonts and Free Emoticons

Tangram App Lock

Direct Messenger

Private SMS

One Sentence Translator – Multifunctional Translator

Style Photo Collage

The Reynity Scanner

Desire Translate

Talent Photo Editor – Blur Focus

Care Message

Part Message

Paper Doc Scanner

Blue Scanner

Hummingbird PDF Converter – Photo to PDF

All Good PDF Scanner

Google has removed the apps from the Play Store and launched the Play Protect disable service, but users still need manual intervention to remove them from their devices.

Joker is the scourge of game stores. This is the third time in recent months that Google’s security team has dealt with a Joker-infected app. Earlier this month, Google’s team removed six infected apps. In July, Google security researchers also discovered a batch of apps infected by Joker.

According to the investigation, the virus software has been active since March and has successfully infected millions of devices.

17 Google Play Store apps infected with malware were forcibly removed

These infected applications use a technique called dropper. The technology allows infected apps to bypass Google’s security defenses, go straight to the Play Store, and infect victims’ devices in multiple stages.

From Google’s point of view, the technology is simple, but difficult to defend.

First, the creators of the malware clone legitimate application features and upload them to the Play Store. In general, this application is fully functional and can request access, but does not perform any malicious actions the first time it runs. Because malicious actions are often delayed by hours or days, and Google’s security scans do not detect malicious code, such applications typically appear in the Play Store.

However, once the user is installed on the device, the application is downloaded and “dropped” (and thus named Droppers or loaders) of other components or applications that contain Joker malware or other malware.

In January, Google published a blog post claiming that Joker was one of the most persistent and advanced threats they had faced in the past few years. Meanwhile, Google says its security team has removed more than 1,700 apps from the Play Store since 2017. In summary, it is difficult to prevent Joker, but if users are more cautious when installing applications with broad permissions, they can reduce the likely to be infected.

Bitdefender also reported a number of malicious apps to Google’s security team, some of which can still be used on the Play Store. Bitdefender did not disclose the name of the application, only the name of the developer account that uploaded the application, and said users who installed the developer’s application should delete it immediately.