This week Google removed 17 Android applications from the official Play Store. According to Viral Gandhi, a security researcher from Zscaler, all 17 applications were infected with Joker (aka Bread). Malware on the Play Store is a common phenomenon and it is a collective duty of both Google and users to deal with them.
“This spyware is designed to steal SMS messages, contact lists, and device information, along with silently signing up the victim for premium wireless application protocol (WAP) services,” Zscaler security researcher Viral Gandhi said.
Google has deleted these applications from the Play Store and started the Play Protect disable service, but users still need to manually intervene to delete these applications from the device.
The names of the 17 apps are:
- All Good PDF Scanner
- Mint Leaf Message-Your Private Message
- Unique Keyboard – Fancy Fonts and Free Emoticons
- Tangram App Lock
- Direct Messenger
- Private SMS
- One Sentence Translator – Multifunctional Translator
- Style Photo Collage
- Meticulous Scanner
- Desire Translate
- Talent Photo Editor – Blur focus
- Care Message
- Part Message
- Paper Doc Scanner
- Blue Scanner
- Hummingbird PDF Converter – Photo to PDF
- All Good PDF Scanner
(As of this writing, these apps are no longer on Play Store. However, you have a duty to uninstall them immediately if they are on your device)
Joker is the bane of the Play Store
This is the third time the Google security team has dealt with Joker-infected applications in recent months. Early last month, the Google team deleted 6 infected apps. In July, Google security researchers also discovered a batch of applications infected by Joker.
According to the investigation, this batch of virus software has been active since March and has successfully infected millions of devices.
These infected applications use a technique called “droppers”. This technology allows the infected application to bypass Google’s security defense system, go directly to the Play Store, and infect the victim’s device in multiple stages.
From Google’s point of view, this technology is very simple, but difficult to defend.
How Joker works
First, the creator of the malware will clone the legitimate application function and upload it to the Play Store. Generally, this application is fully functional and can request access, but it will not perform any malicious operations the first time it runs. Since malicious operations are often delayed for hours or days, and Google’s security scans will not detect malicious code, such applications usually appear in the Play Store.
But once the user installs it on the device, the application downloads and “drops” (hence the name droppers or loaders) other components or applications on the device that contain Joker malware or other malware.
In January of this year, Google published a blog post claiming that Joker is one of the most persistent and advanced threats they have dealt with in the past few years. Google also said that since 2017, its security team has removed more than 1,700 applications from the Play Store. In short, it is difficult to guard against Joker. However, if users can be cautious when installing applications with broad permissions, they can reduce the possibility of infection.
In addition, Bitdefender also reported a batch of malicious applications to the Google security team, some of which are still available on the Play Store. Bitdefender did not disclose the name of the applications, only the account name of the developer who uploaded the application. It also warns that anyone who has such apps should uninstall them immediately.