Google has taken steps to ax dozens of fraudulent apps from the official Play Store that were spotted propagating Joker, Facestealer, and Coper malware families through the virtual marketplace.
While the Android storefront is considered to be a trusted source for discovering and installing apps, bad actors have repeatedly found ways to sneak past security barriers erected by Google in hopes of luring unsuspecting users into downloading malware-laced apps.
The latest findings from Zscaler ThreatLabz and Pradeo are no different. “Joker is one of the most prominent malware families targeting Android devices,” researchers Viral Gandhi and Himanshu Sharma said in a Monday report.
“Despite public awareness of this particular malware, it keeps finding its way into Google’s official app store by regularly modifying the malware’s trace signatures including updates to the code, execution methods, and payload-retrieving techniques.”
Categorized as fleeceware, Joker (aka Bread) is designed to subscribe users to unwanted paid services or make calls to premium numbers, while also gathering SMS messages, contact lists, and device information. It was first observed in the Play Store in 2017.
A total of 53 Joker downloader apps have been identified by the two cybersecurity firms, with the applications downloaded cumulatively over 330,000 times. These apps typically pose as SMS, photo editors, blood pressure monitor, emoji keyboards, and translation apps that, in turn, request elevated permissions for the device to carry out its operations.
“Instead of waiting for apps to gain a specified volume of installs and reviews before swapping for a malware-laced version, the Joker developers have taken to hiding the malicious payload in a common asset file and package application using commercial packers,” the researchers explained the new tactic adopted by the persistent malware to bypass detection.
It’s not just Joker, as security researcher Maxime Ingrao last week disclosed eight apps containing a different variant of the malware called Autolycos that racked up a total of over three million downloads prior to their removal from the app store after more than six months.
“What is new about this type is that it no longer requires a WebView,” Malwarebytes researcher Pieter Arntz said. “Not requiring a WebView greatly reduces the chances that the user of an affected device notices something fishy is going on. Autolycos avoids WebView by executing URLs on a remote browser and then including the result in HTTP requests.”
Also discovered in the official marketplace were apps embedding Facestealer and Coper malware. While the former enables the operators to siphon Facebook credentials and auth tokens, Coper — a descendant of the Exobot malware — functions as a banking trojan that can steal a wide range of data.
Coper is “capable of intercepting and sending SMS text messages, making USSD (Unstructured Supplementary Service Data) requests to send messages, keylogging, locking/unlocking the device screen, performing overly attacks, preventing uninstalls and generally allowing attackers to take control and execute commands on infected device via remote connection with a C2 server,” the researchers said.
The malware, like other banking trojans, is also known to abuse the accessibility permissions on Android to gain full control of the victim’s phone. The list of Facestealer and Coper dropper apps is as follows –
- Vanilla Camera (cam.vanilla.snapp)
- Unicc QR Scanner (com.qrdscannerratedx)
If anything, the findings add to Google’s storied history of struggling to keep such fleeceware and spyware apps off its mobile app store, in part owing to a multitude of evolving tactics adopted by threat actors to fly under the radar.
Besides the usual rules of thumb when it comes to downloading apps from app stores, users are recommended to refrain from granting unnecessary permissions to apps and verify their legitimacy by checking for developer information, reading reviews, and scrutinizing their privacy policies.