David Baxter PhD
Late Founder
Android User? Delete These Apps Now
by John Lister,
September, 10 2019
Nearly half a million users have been infected with "The Joker" malware through the Google Play store. The malware is particularly nasty and works by signing users up to premium services without their knowledge.
The malware, spotted by researcher Aleksejs Kuprins, was found in 24 apps with a combined 472,000 downloads - though more apps may be found later. As of this writing, the 24 known apps have been removed from the Google Play store. (Source: techradar.com)
Infected Apps Need to be Removed
If you have any of the following apps installed on your phone, they should be removed immediately. The infected apps list is as follows:
As is a familiar story with Android malware, most of the apps claimed to perform a simple task, and it appears the to be delivered as promised. The problem was what happened behind the scenes. The Joker malware is specially crafted to only work if the user's SIM card is registered in one of 37 countries, including the US, Brazil, Australia and most of Europe and Asia. All of these countries have mobile networks that allow users to subscribe to digital services, with the charges applied to their monthly phone service fee or taken out of a pay-as-you-go credit balance.
The compromised apps are set up to receive encrypted instructions from a remote server, making it less likely they'll be spotted by security scans. The app will then usually display a screen with the app logo while "loading." In fact, this was when the nefarious activity was happening behind the scenes.
Malware Scans Incoming SMS
Once activated, the malware secretly loads a subscription page (which the user can't see) and signs up to a service. It then continues working in the background, looking for a confirmation code sent via SMS text message - something that's designed to be a security measure.
The malware intercepts the message, copies the code and provides it to the subscription service as if the user had typed it in. The user is then hit with a monthly charge, which is usually quite small - around $7.40 USD in one case. (Source: medium.com)
The scheme appears to be to go for a large number of victims while keeping the individual amounts small enough that there's less chance of people spotting the scam, unless they check their bills carefully.
by John Lister,
September, 10 2019
Nearly half a million users have been infected with "The Joker" malware through the Google Play store. The malware is particularly nasty and works by signing users up to premium services without their knowledge.
The malware, spotted by researcher Aleksejs Kuprins, was found in 24 apps with a combined 472,000 downloads - though more apps may be found later. As of this writing, the 24 known apps have been removed from the Google Play store. (Source: techradar.com)
Infected Apps Need to be Removed
If you have any of the following apps installed on your phone, they should be removed immediately. The infected apps list is as follows:
- Advocate Wallpaper
- Age Face
- Altar Message
- Antivirus Security - Security Scan
- Beach Camera
- Board picture editing
- Certain Wallpaper
- Climate SMS
- Collate Face Scanner
- Cute Camera
- Dazzle Wallpaper
- Declare Message
- Display Camera
- Great VPN
- Humour Camera
- Ignite Clean
- Leaf Face Scanner
- Mini Camera
- Print Plant scan
- Rapid Face Scanner
- Reward Clean
- Ruddy SMS
- Soby Camera
- Spark Wallpaper
As is a familiar story with Android malware, most of the apps claimed to perform a simple task, and it appears the to be delivered as promised. The problem was what happened behind the scenes. The Joker malware is specially crafted to only work if the user's SIM card is registered in one of 37 countries, including the US, Brazil, Australia and most of Europe and Asia. All of these countries have mobile networks that allow users to subscribe to digital services, with the charges applied to their monthly phone service fee or taken out of a pay-as-you-go credit balance.
The compromised apps are set up to receive encrypted instructions from a remote server, making it less likely they'll be spotted by security scans. The app will then usually display a screen with the app logo while "loading." In fact, this was when the nefarious activity was happening behind the scenes.
Malware Scans Incoming SMS
Once activated, the malware secretly loads a subscription page (which the user can't see) and signs up to a service. It then continues working in the background, looking for a confirmation code sent via SMS text message - something that's designed to be a security measure.
The malware intercepts the message, copies the code and provides it to the subscription service as if the user had typed it in. The user is then hit with a monthly charge, which is usually quite small - around $7.40 USD in one case. (Source: medium.com)
The scheme appears to be to go for a large number of victims while keeping the individual amounts small enough that there's less chance of people spotting the scam, unless they check their bills carefully.