Google removes 17 Android apps caught engaging in WAP billing fraud (2024)

Google has removed this week 17 Android applications from the official Play Store. The 17 apps, spotted by security researchers from Zscaler, were infected with the Joker (aka Bread) malware.

"This spyware is designed to steal SMS messages, contact lists, and device information, along with silently signing up the victim for premium wireless application protocol (WAP) services," Zscaler security researcher Viral Gandhisaid this week.

The 17 malicious apps were uploaded on the Play Store this month and didn't get a chance to gain a following, having been downloaded more than 120,000 times before being detected.

The names of the 17 apps were:

• All Good PDF Scanner
• Mint Leaf Message-Your Private Message
• Unique Keyboard - Fancy Fonts and Free Emoticons
• Tangram App Lock
• Direct Messenger
• Private SMS
• One Sentence Translator - Multifunctional Translator
• Style Photo Collage
• Meticulous Scanner
• Desire Translate
• Talent Photo Editor - Blur focus
• Care Message
• Part Message
• Paper Doc Scanner
• Blue Scanner
• Hummingbird PDF Converter - Photo to PDF
• All Good PDF Scanner

Following its internal procedures, Google removed the apps from the Play Store, used the Play Protect service to disable the apps on infected devices, but users still need to manually intervene and remove the apps from their devices.

Joker is the Play Store's bane

But this recent takedown also marks the third such action from Google's security team against a batch of Joker-infected apps over the past few months.

Google removed six such appsat the start of the month after they've been spotted and reported by security researchers fromPradeo.

Before that, in July, Google removed another batch of Joker-infected apps discovered by security researchers fromAnquanke. This batch had been active since March and had managed to infect millions of devices.

The way these infected apps usually manage to sneak their way past Google's defenses and reach the Play Store is through a technique called "droppers," where the victim's device is infected in a multi-stage process.

The technique is quite simple, but hard to defend against, from Google's perspective.

Malware authors begin by cloning the functionality of a legitimate app and uploading it on the Play Store. This app is fully functional, requests access to dangerous permissions, but also doesn't perform any malicious actions when it's first run.

Because the malicious actions are usually delayed by hours or days, Google's security scans don't pick up the malicious code, and Google usually allows the app to be listed on the Play Store.

But once on a user's device, the app eventually downloads and "drops" (hence the name droppers, or loaders) other components or apps on the device that contain the Joker malware or other malware strains.

The Joker family, which Google tracks internally as Bread, has been one of the most ardent users of the dropper technique. This, in turn, has allowed Joker to make it on the Play Store -- the Holy Grail of most malware operations -- more than many other malware groups. In January, Google published ablog postwhere it described Joker as one of the most persistent and advanced threats it has dealt with in the past years. Google said that its security teams had removedmore than 1,700 appsfrom the Play Store since 2017.

But Joker is far more widespread than that, being also found in apps uploaded on third-party Android app stores as well.

All in all, Anquanke said it detected more than 13,000 Joker samples since the malware was first discovered in December 2016.

Protecting against Joker is hard, but if users show some caution when installing apps with broad permissions, they can avoid getting infected.

In other Android security news

Bitdefender reporteda batch of malicious apps to Google's security team. Some of these apps are still available on the Play Store. Bitdefender didn't reveal the name of the apps, but only the names of the developer accounts from which they were uploaded. Users who have installed apps from these developers should remove them right away.

• Nouvette
• Piastos
• Progster
• imirova91
• StokeGroove
• VolkavStune

ThreatFabric also published a report aboutthe demise of the Cerberusmalware andthe rise of the Alien malware, which contains features to steal credentials for 226 applications.

Updated on September 28 to add that after this article's publication, both Zimperium and Kaspersky also published reports about new Joker malware strains, confirming a recent spike in Joker activity, as reported by Zscaler, Pradeo, and Anquanke.