Google removes 11 Android apps with Joker malware from Play Store

The notorious Joker malware subscribes users to a number of premium services without their consent.

Highlights
  • Google has pulled 11 apps from Play Store that were affected by the infamous Joker malware
  • The apps modified their coding to bypass the Play Store’s security and vetting barriers

As many as 11 apps infected by the notorious Joker malware have been removed from Google Play Store. Security researchers at Israeli cybersecurity firm Check Point Research have found these apps breaching users’ privacy, downloading additional malware to the device, and subscribing them to premium services without their knowledge or consent. Joker is among the most prominent types of malware for Android and keeps finding its way into Google’s app marketplace after hackers make minor changes in the code. Although the apps have been taken down from the Play Store, it won’t go from your device until you manually uninstall them.

Apps removed from Google Play Store:

  • com.imagecompress.android
  • com.relax.relaxation.androidsms
  • com.cheery.message.sendsms
  • com.peason.lovinglovemessage
  • com.contact.withme.texts
  • com.hmvoice.friendsms (twice)
  • com.file.recovefiles
  • com.LPlocker.lockapps
  • com.remindme.alram
  • com.training.memorygame

With small changes to its code, the Joker malware was able to get past the Play Store’s security and vetting barriers. The security researcher noted that the “malicious actor behind Joker adopted an old technique from the conventional PC threat landscape and used it in the mobile app world to avoid detection by Google.” 

Joker targeted users with a premium subscription using two main components – the Notification Listener service and a dynamic dex file. “The latter relies on C&C server to perform registration of the user to the services,” as per the report. “Originally, the code that was responsible for communicating with the C&C and downloading the dynamic dex file was located inside the main classes.dex file, but now the functionality of the original classes.dex file includes loading the new payload.”

Additionally, the developer hid the malicious code dynamically into dex file, while still ensuring it is able to load – a technique which is well-known to developers of malware for Windows PCs – to avoid being detected. This new variant then hides the malicious dex file inside the application as Base64 encoded strings to read the strings, decode them and then load the reflection to infect the device.

Check Point Research recommends you to check all apps before downloading. If you feel that you have downloaded an infected file, you should immediately uninstall it, check your mobile and credit card bills for any irregularities, install an anti-virus program on their smartphones to prevent infections. That said, this is the third time Google has taken action against malicious apps in the past 30 days. It removed over 30 apps from Play Store back in June, followed by another 25 in earlier this month.