Joker Malware Infiltrates Google Play Store

Zscaler researchers discover malware employing WAP billing fraud. Google removes 17 apps from its Android Play Store as a result.

On September 24, Zscaler announced that its researchers discovered yet another instance of the Joker (aka Bread) malware inside Google’s Android Play Store. Joker has been a plague on Google’s Play Store, the company calling it one of the most persistent threats it has dealt with since 2017. 

Viral Gandhi, a Zscaler researcher, writes, “Joker is one of the most prominent malware families that continually targets Android devices. Despite awareness of this particular malware, it keeps finding its way into Google’s official application market by employing changes in its code, execution methods, or payload-retrieving techniques. This spyware is designed to steal SMS messages, contact lists, and device information along with silently signing up the victim for premium wireless application protocol (WAP) services.”

The 17 apps have since been removed from the Play Store, and Google, following its own procedures, also used the Play Protect service to disable the apps on infected devices. It is still up to the user to remove the app from their device. Thankfully, the apps were just uploaded to the Play Store in September 2020 and had just 120,000 downloads, so the infected apps had not gained a foothold on the market. The list of apps from Zscalers announcement is as follows:

  • All Good PDF Scanner
  • Mint Leaf Message-Your Private Message
  • Unique Keyboard – Fancy Fonts & Free Emoticons
  • Tangram App Lock
  • Direct Messenger
  • Private SMS
  • One Sentence Translator – Multifunctional Translator
  • Style Photo Collage
  • Meticulous Scanner
  • Desire Translate
  • Talent Photo Editor – Blur focus
  • Care Message
  • Part Message
  • Paper Doc Scanner
  • Blue Scanner
  • Hummingbird PDF Converter – Photo to PDF
  • All Good PDF Scanner

In a recent article, we discussed how mobile devices do not have antiviral or antimalware programs built into their systems. We mentioned how people tend to blindly trust their device download stores, assuming that apps are scanned prior to being deployed and that we are protected. We also mentioned how these stores do scan for things, but they don’t scan for developers putting in a back door to later come in and steal information. That is exactly what happened with these 17 apps. The Joker malware wasn’t found by Google, it was found by Zscaler’s ThreatLabZ research team which has been monitoring the malware constantly.

The reason Joker continues to persist in the Play Store is because, as Gandhi stated, it keeps changing code, executing methods or payload-retrieving techniques. By changing one or all three of these things, it makes the malware different enough to be missed by automated scans which are programmed to find that last version of the program, not the newest one. Hackers change their tactics on a regular basis, this is one example of how it can be done.

If you have one or more of these apps on any of your devices, it should be deleted immediately. Google did remove the apps from the Play Store and render the downloaded versions inactive, but they cannot remove the actual app itself. Be sure to check reviews on apps, look at how long they’ve been around and how many reviews they have. See how many downloads they have, Google the developer and see what other products they’ve put on the market and what those products are doing. Always do your due diligence when downloading something new. In today’s world, most of our lives are entrenched in our mobile devices. Keeping them protected and safe is one of the best ways to protect your private information.

About the Author

Pieter VanIperen, Managing Partner of PWV Consultants, leads a boutique group of industry leaders and influencers from the digital tech, security and design industries that acts as trusted technical partners for many Fortune 500 companies, high-visibility startups, universities, defense agencies, and NGOs. He is a 20-year software engineering veteran, who founded or co-founder several companies. He acts as a trusted advisor and mentor to numerous early stage startups, and has held the titles of software and software security executive, consultant and professor. His expert consulting and advisory work spans several industries in finance, media, medical tech, and defense contracting. Has also authored the highly influential precursor HAZL (jADE) programming language.

Contact us

Contact Us About Anything

Need Project Savers, Tech Debt Wranglers, Bleeding Edge Pushers?

Please drop us a note let us know how we can help. If you need help in a crunch make sure to mark your note as Urgent. If we can't help you solve your tech problem, we will help you find someone who can.

1350 Avenue of the Americas, New York City, NY