Google has recently removed 11 apps from the Play Store that were infected with the notorious Joker Malware in a move to make its platform more secure for Android users. The search giant has been tracking these apps since 2017. 

Researchers at Israeli cybersecurity firm Check Point discovered a new variant of the Joker Dropper and Premium Dialer spyware inside legitimate apps on the Play Store. Joker-infested apps with the latest variant are estimated to have been downloaded around 500,000 times before they were removed by Google. 

How Does This Malware Work?

According to the researchers, the new updated Joker malware can download additional malware on unsuspecting users’ device, which in turn makes them subscribe to premium services and siphon off their money without permission. 

“Joker, one of the most prominent types of malware for Android, keeps finding its way into Google’s official application market as a result of small changes to its code, which enables it to get past the Play store’s security and vetting barriers. This time, however, the malicious actor behind Joker adopted an old technique from the conventional PC threat landscape and used it in the mobile app world to avoid detection by Google,” Check Point Research report said.

To realize the ability of subscribing app users to premium services without their knowledge or consent, the Joker malware utilized two main components – the Notification Listener service that is part of the original application, and a dynamic dex file loaded from the C&C server to perform the registration of the user to the services. 

“In an attempt to minimize Joker’s fingerprint, the actor behind it hid the dynamically loaded dex file from sight while still ensuring it is able to load – a technique which is well-known to developers of malware for Windows PCs. This new variant now hides the malicious dex file inside the application as Base64 encoded strings, ready to be decoded and loaded,” the report added. 

Despite Google Play’s security features, Joker malware is still very difficult to detect and could very well return it to the Play Store, points out Check Point. 

Aviran Hazum, Manager of Mobile Research for Check Point speaking about the new threat said: “Joker adapted. We found it hiding in the “essential information” file every Android application is required to have.

“Our latest findings indicate that Google Play Store protections are not enough. We were able to detect numerous cases of Joker uploads on a weekly basis to Google Play, all of which were downloaded by unsuspecting users. The Joker malware is tricky to detect, despite Google’s investment in adding Play Store protections. Although Google removed the malicious apps from the Play Store, we can fully expect Joker to adapt again. Everyone should take the time to understand what Joker is and how it can affect them.”

Given below are the package names for the 11 infected apps:

  • com.imagecompress.android
  • com.contact.withme.texts
  • com.hmvoice.friendsms
  • com.relax.relaxation.androidsms
  • com.cheery.message.sendsms (two different instances)
  • com.peason.lovinglovemessage
  • com.file.recovefiles
  • com.LPlocker.lockapps
  • com.remindme.alram
  • com.training.memorygame

If you are an Android user and have any of the above-listed packages installed on your smartphone, we request you to immediately uninstall them. Also, check the debit/credit card bills for charges, and unsubscribe to any services that you have not opted for. Lastly, install an anti-virus program on your smartphones to prevent future infections.

Last week, Google had removed 30 malware-filled apps from its Play Store that were allegedly stealing user data. Earlier this year, the search giant also removed around 1,700 “Bread” apps from the Play Store that was found to be infested with a similar Joker malware. However, Google took these apps down before any user could download them.