The Joker malware is back again on Google Play, this time seen in a mobile application called Colour Message. The app was downloaded more than 500,000 times before its removal from the store.
Joker malware was found hiding in the Colour Message app, ready to fleece unsuspecting users with premium SMS charges.
Defrauded
Users should immediately delete Colour Message from their devices to avoid being defrauded, researchers at Pradeo Security warned.
Joker is a persistent threat that’s been around since 2017, hiding itself within legitimate-seeming, common application types such as games, messengers, photo editors, translators & wallpapers, many of them aimed at children.
When installed, Joker apps subscribe victims to unwanted, paid premium services controlled by the attackers – a type of billing fraud that researchers categorise as “fleeceware.” Often, the victim is no wiser until the mobile bill arrives.
Home Screen
In the worst cases, the apps also steal contact lists & device information & can hide their icons from the home screen – which is the case with Colour Message, Pradeo researchers stated, adding that the application appeared to be making connections to Russian servers.
Colour Message purported to offer the ability to enhance messaging with a range of fun emojis & screen overlays.
“It makes texting easy, fun & beautiful,” according to its Google Play listing, captured by Pradeo before the takedown. “Customise the theme quickly. The Colour Message application has unique technology that can help you personalise your default SMS messenger.”
1,800+ Reviews
Interestingly, it also had 1,800+ reviews, with an average rating of 4 stars – though the more recent reviews tended towards the scathing, such as “misleading ad & worst app ever.”
“The application’s very concise terms & conditions are hosted on an unbranded 1-page blog & do not disclose the extent of the actions the app can perform on users’ devices,” according to the Pradeo writeup.
“One of the victims has even tried reaching out to the application’s developer through the comment section of the legal page, other users are directly complaining about the fraud in the comment section of the app on the store.”
Joker, a Perennial Malware Threat
Malicious Joker apps are commonly found outside of the official Google Play store, but they’ve continued to evade Google Play’s protections. One of the ways Joker does this is through lightweight development a& constant code tinkering.
“By using as little code as possible & thoroughly hiding it, Joker generates a very small footprint that can be tricky to detect,” according to Pradeo.
Flutter
The most recent version of the malware also takes advantage of a legitimate developer tool called ‘Flutter’ to evade both device-based security & app-store protections, Zimperium recently found.
Flutter is an open-source app development kit designed by Google that allows developers to craft native apps for mobile, web & desktop from a single codebase. The use of Flutter to code mobile applications is a common approach, & 1 that traditional scanners see as benign, researchers explained.
Application Code
“Due to the commonality of Flutter, even malicious application code will look legitimate & clean, whereas many scanners are looking for disjointed code with errors or improper assemblies,” explained Zimperium researchers in an analysis published in July.
As a result of all these tricks, there have been periodic re-infestations of Joker inside the official store, including 2 massive attacks last year.
According to researchers at Zimperium, more than 1,800 Android applications infected with Joker have been removed from the Google Play store in the last 4 years.