Joker fleeceware "thriving" on Google Play Store, researchers claim

Six recently removed apps are believed to have spread the malware across 200,000 installs

Six apps have been deleted from the Google Play store after it was discovered they were infected with malware that simulates clicks and intercepts SMS messages to commit fraud.

Joker, also known as "Bread", is a billing-fraud strain of malware that advertises itself as a legitimate app, according to security researchers at Pradeo.

The six apps account for nearly 200,000 installs and, despite confirmation of their removal from Google's Play Store, researchers have suggested they are still installed on the devices of their users.

The researchers have urged users to immediately delete the apps: Convenient Scanner 2, Separate Doc Scanner, Safety AppLock, Push Message-Texting & SMS, Emoji Wallpaper and Fingertip GameBox.

Often described as 'fleeceware', this type of malware is designed to simulate clicks and intercept SMS text messages to trick users into subscribing to unwanted paid premium services. These types of malware generally have a fairly discreet footprint as they tend to use as little code as possible, making their fraudulent activity difficult to spot.

Apps that spread the Joker malware have continued to bypass Google security mechanisms since 2019 as those behind its spread are constantly updating its source code.

"Most apps embedding Joker malware are programmed to load and execute external code after being published on the store," Pradeo researcher Roxane Suau said, speaking to Threatpost.

"First, these apps are riddled with permission requests and submitted to Google Play by their developers. They get approved, published and installed by users. Once running on users' devices, they automatically download malicious code. Then, they leverage their numerous permissions to execute the malicious code."

The malware has "thrived" on Google Play in 2020, according to the team. In January, researchers revealed that Google had removed 17,000 Android apps that had been conduits for the Joker malware, with 11 more removed in July.

Featured Resources

Consumer choice and the payment experience

A software provider's guide to getting, growing, and keeping customers

Download now

Prevent fraud and phishing attacks with DMARC

How to use domain-based message authentication, reporting, and conformance for email security

Download now

Business in the new economy landscape

How we coped with 2020 and looking ahead to a brighter 2021

Download now

How to increase cyber resilience within your organisation

Cyber resilience for dummies

Download now

Recommended

ProtectedBy.AI’s CodeLock blocks malware at source code level
software as a service (SaaS)

ProtectedBy.AI’s CodeLock blocks malware at source code level

9 Jun 2021
CISOs aren’t leading by example when it comes to cyber security
cyber security

CISOs aren’t leading by example when it comes to cyber security

24 May 2021
New report highlights the need for diversity in cyber security recruitment
cyber security

New report highlights the need for diversity in cyber security recruitment

28 Apr 2021
HackBoss malware is using Telegram to steal cryptocurrency from other hackers
cryptocurrencies

HackBoss malware is using Telegram to steal cryptocurrency from other hackers

16 Apr 2021

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

16 Jun 2021
What is HTTP error 400 and how do you fix it?
Network & Internet

What is HTTP error 400 and how do you fix it?

16 Jun 2021
EU plans to launch bloc-wide cyber task force
cyber attacks

EU plans to launch bloc-wide cyber task force

22 Jun 2021