Security experts from Google have discovered a new spyware in 24 Play Store apps that, combined, have more than 472,000 downloads. Researchers have stated that this spyware also has the capabilities of normal malware and appears to have infected certain apps in Google Play with more than 100,000 installations. Cybercriminals are deploying this spyware through the advertisement framework in those compromised apps.
Introduction to Joker
This spyware secretly collects users’ personal details, like contacts and other address book details, and is aptly named Joker. Joker uses the SMS collection module to confirm the user’s country. All infected apps contain a sophisticated list of mobile country codes, which Joker openly exploits. Cybercriminals are also sending command and control codes that can be executed using a Javascript to keep their spyware alive.
This Joker spyware comes with two components: one that identifies the device location, and another that automatically subscribes users to the premium package offered in the ads by the campaign sponsors. All of Joker’s activities are controlled by a command and control (C&C) server operated by the cybercriminals.
Countries targeted by Joker
Joker has targeted these 37 countries: Australia, Austria, Belgium, Brazil, China, Cyprus, Egypt, France, Germany, Ghana, Greece, Honduras, India, Indonesia, Ireland, Italy, Kuwait, Malaysia, Myanmar, Netherlands, Norway, Poland, Portugal, Qatar, Republic of Argentina, Serbia, Singapore, Slovenia, Spain, Sweden, Switzerland, Thailand, Turkey, Ukraine, the United Arab Emirates, the United Kingdom, and the United States.
Joker-infected Android apps
The following applications have been infected by Joker:
1. Antivirus Security – Security Scan, App Lock
2. Dazzle Wallpaper
3. Collate Face Scanner
4. Reward Clean
5. Age Face
6. Altar Message
7. Rapid Face Scanner
8. Picture editing
9. Soby Camera
10. Great VPN
11. Humour Camera
12. Advocate Wallpaper
13. Ruddy SMS Mod
14. Ignite Clean
15. Print Plant scan
16. Leaf Face Scanner
17. Boar
18. Declare Message
19. Display Camera
20. Beach Camera
21. Mini Camera
22. Certain Wallpaper
23. Cute Camera
24. Spark Wallpaper
How to protect your Android devices against Joker
To simplify things, Google has already identified these 24 apps in the Play Store, confirmed their Joker infection, and removed them from the Play Store. However, this only blocks any future downloads of the infected apps.
Users that have already installed these apps in their devices will be issued a warning by Google Play, like the one users received for the CamScanner malware. So check your Android device for these apps and remove them before you end up handing over your personal data to Joker.
For organizations that manage corporate-owned, personally enabled (COPE), choose your own device (CYOD), and bring your own device (BYOD) environments, it’s better to include these 24 apps in the blacklisted or prohibited group of applications and deploy the policy to your managed devices. Blacklisting and whitelisting apps can be carried out using a mobile device management (MDM) or unified endpoint management (UEM) solution.
Thwart Joker with help from ManageEngine
If you already have an MDM or UEM solution, start rolling out your new configurations as soon as possible. If not, you can download ManageEngine’s unified endpoint management solution or mobile device management solution to blacklist infected applications and nullify Joker. Both of the above solutions come with a free trial for 30 days and offer a free edition, which will allow you to manage 25 mobile devices completely free.
Do not underestimate Joker; doing so could be lethal to your organization considering the current data protection laws like the GDPR and POPI for Europe and South Africa, along with upcoming laws like the CCPA and LGPD for the USA and Brazil.
Weird that despite checks from Google, hackers face no problems in reaching Play Store. Obviously, the widespread use of Android phones makes it extremely difficult to make each and every user aware of the existence of such malicious apps. Perhaps, Google needs to make major changes in their policies to protect Android users.
Agreed, Google needs to update their policies in time.
Nowadays malware authors are frequently abusing Google play and advertisement platforms and use them for dropping a variety of malware. it seems joker target almost all the top leading technologically strong origins. Lack of awareness in Andoird users leads to target a huge number of users. Great analysis.
This is where blacklisting and whitelisting can come in handy. If you have got your corporate containers up, your business data should be safe.
Another day another stealthy malware on Google Play, before installing non-factory apps users should check application reputation. Downloading these weird, crappy apps should be avoided.
Organizations can prefer whitelisting to avoid surprises like this, however for personal devices only proper cyber awareness would help. Or they can look at for warning messages from Google Play Protect.
Joker malware is yet another great example showing how immature are Google Play Store’s security mechanisms, including Google Play Protect, at this moment that even an already detected malware can again sneak into users’ Android devices just by repackaging it into a new form.
Google Play Protect is just the first level of protection, proper app security management with the right usage of sandboxes is a permanent solution.
Do you guys have any resources about LGPD?
Hey Peter, we are coming with a guide for LGPD Compliance. Please stay tuned.
Not all malwares will threaten device security, but they can cause performance hits. Believing the presence of external threats, corporates should employ MDM solutions atleast for their critical machines.