SMS Message Spying Joker Malware Infects 500K Users In 24 Android Apps On Google Play
The “Joker” spyware was originally detected this past June and was named after one of its command-and-control (C2) domain names. It can gain access to a victim’s SMS messages, contacts list, and other specific device information. It can also sign victims up for premium subscription services without their knowledge. The Joker is able to interact with an advertisement and enter an offer code. Since it has access to a user’s SMS messages, it simply waits for a confirmation code and then extracts it.
How does the Joker achieve this feat? According to software developer Aleksejs Kuprins, the spyware is a “small and a silent one”. It uses as little Java code as possible and has a number several layers of protection that make it hard to detect. For example, all of the infected apps have Mobile Country Codes (MCC) and can only attack devices in certain countries. A victim would need to have a SIM card from one of these countries to be affected by the spyware.
It is unclear where the spyware is originally from. Research noted that some of the spyware’s code was written in Chinese and therefore may have originated in China. Thankfully, all 24 apps have been removed from the Google Play store at the time of this publication.
Google also recently removed the popular CamScanner app from its app store. The app was harboring a malicious module called Trojan-Dropper.AndroidOS.Necro.n and bombarding users with ads. Although there were no data leaks, users were still incredibly annoyed by the module. A new, “clean” version of CamScanner will soon be released on Google Play.