This week Google removed 17 Android apps from the official Play Store. All 17 apps were infected with Joker malware, according to Viral Gandhi, a security researcher at Zscaler. “This spyware is designed to steal text messages, contact lists, and device information, while quietly registering advanced wireless application protocol (WAP) services for victims,” he said.
The 17 apps are:
All Good PDF Scanner
Mint Leaf Message-Your Private Message
Unique Keyboard – Fancy Fonts and Free Emoticons
Tangram App Lock
One Sentence Translator – Multifunctional Translator
Style Photo Collage
The Reynity Scanner
Talent Photo Editor – Blur Focus
Paper Doc Scanner
Hummingbird PDF Converter – Photo to PDF
All Good PDF Scanner
Google has removed the apps from the Play Store and launched the Play Protect disable service, but users still need manual intervention to remove them from their devices.
Joker is the scourge of game stores. This is the third time in recent months that Google’s security team has dealt with a Joker-infected app. Earlier this month, Google’s team removed six infected apps. In July, Google security researchers also discovered a batch of apps infected by Joker.
According to the investigation, the virus software has been active since March and has successfully infected millions of devices.
These infected applications use a technique called dropper. The technology allows infected apps to bypass Google’s security defenses, go straight to the Play Store, and infect victims’ devices in multiple stages.
From Google’s point of view, the technology is simple, but difficult to defend.
First, the creators of the malware clone legitimate application features and upload them to the Play Store. In general, this application is fully functional and can request access, but does not perform any malicious actions the first time it runs. Because malicious actions are often delayed by hours or days, and Google’s security scans do not detect malicious code, such applications typically appear in the Play Store.
However, once the user is installed on the device, the application is downloaded and “dropped” (and thus named Droppers or loaders) of other components or applications that contain Joker malware or other malware.
In January, Google published a blog post claiming that Joker was one of the most persistent and advanced threats they had faced in the past few years. Meanwhile, Google says its security team has removed more than 1,700 apps from the Play Store since 2017. In summary, it is difficult to prevent Joker, but if users are more cautious when installing applications with broad permissions, they can reduce the likely to be infected.
Bitdefender also reported a number of malicious apps to Google’s security team, some of which can still be used on the Play Store. Bitdefender did not disclose the name of the application, only the name of the developer account that uploaded the application, and said users who installed the developer’s application should delete it immediately.