Google has been playing whack-a-mole with various iterations of the Joker malware for over a year now. If you’re unfamiliar with Joker, it is a particularly sneaky piece of malware that’s been circulating in apps delivered via the Google Play store to Android devices. Typically, a small piece of software — that is but one component of Joker — is injected into the advertising framework or hidden in another part of an app. And when the user runs that app, if the user’s information, carrier network, and device meet certain criteria, another component of Joker kicks-in and downloads a more nefarious payload. When that payload is executed, Joker hides in the background on a device and silently spies on the user, stealing their contact lists, SMS messages, and other identifying data stored on the device. In addition, Joker mimics user interactions on premium advertising and subscription-based services, and leverages its access to SMS and other personal data to secretly sign people up for paid services.
Since it was first discovered, security researchers and Google have found numerous variants of Joker. When that happens, Google is usually quick to pull the affected apps from the Play Store and any parties involved will publish their findings. A couple of days ago, researchers in cloud security company Zscaler’s ThreatLabz team identified 17 new apps carrying Joker, which Google quickly removed from the Play Store. Those apps included:
- All Good PDF Scanner
- Mint Leaf Message-Your Private Message
- Unique Keyboard – Fancy Fonts & Free Emoticons
- Tangram App Lock
- Direct Messenger
- Private SMS
- One Sentence Translator – Multifunctional Translator
- Style Photo Collage
- Meticulous Scanner
- Desire Translate
- Talent Photo Editor – Blur focus
- Care Message
- Part Message
- Paper Doc Scanner
- Blue Scanner
- Hummingbird PDF Converter – Photo to PDF
- All Good PDF Scanner
Needless to say, if you have any of these applications on your phone, you should remove them immediately, run an anti-malware app to scan your device, ensure your device is updated and fully patched, and check permissions to see if any questionable apps have permission to access your SMS messages, contact list, etc.
Zscaler says, “We recommend paying close attention to the permission list in the apps that you install on your Android device. Always watch out for the risky permissions related to SMS, call logs, contacts, and more. Reading the comment or reviews on the app page also helps identify compromised apps.”
Because Joker is continually evolving and only grabs additional components when devices / users meet certain criteria, it is particularly difficult to nail down and continues to slip through Google’s app screening process. Hopefully, with these latest findings, and continual disclosures from other security researchers, Joker’s spread will be slowed and eventually stopped. For now though, users should be mindful of the apps they install and deny permission to any personal data unless absolutely certain the app is reputable, clean and needs it to function.