Google Play Store is a platform where threat actors keep reappearing due to its popularity and widespread use. No matter how much measures Google implements, it seems difficult to make this platform entirely free from abusers. Hence, once again, a wave of malicious Android apps appeared on the Play Store bearing the infamous Joker malware.
Android Joker Malware Apps
Researchers from the Zscaler ThreatLabZ discovered 17 new apps on the Android Play Store with Joker malware. These apps together boasted around 120,000 downloads.
As elaborated in their blog post, the researchers found these apps as they monitored the Play Store for Joker malware.
Upon discovering these apps, they investigated the matter further to find out how the apps evaded Google’s vetting process.
They have described three different scenarios for this security bypass.
- Direct download of the payload from a URL where the app had the C&C address hidden and obfuscated in the code.
- Payload download from a stager payload where the app embedded the stager payload URL within its code in AES encrypted form/.
- Two-stage payload download via two stager payloads. The app first downloaded the stage one payload which then downloaded the stage two payload which further downloaded the final Joker payload.
Below is the list of all these malicious apps.
- All Good PDF Scanner
- Mint Leaf Message-Your Private Message
- Unique Keyboard – Fancy Fonts & Free Emoticons
- Tangram App Lock
- Direct Messenger
- Private SMS
- One Sentence Translator – Multifunctional Translator
- Style Photo Collage
- Meticulous Scanner
- Desire Translate
- Talent Photo Editor – Blur focus
- Care Message
- Part Message
- Paper Doc Scanner
- Blue Scanner
- Hummingbird PDF Converter – Photo to PDF
- All Good PDF Scanner
Google Removed Malicious Apps
Following the report from the researchers, Google removed all 17 apps from the Play Store.
Nonetheless, these apps might still be present on users’ devices. Therefore, make sure to go through the list given above and remove if you find any of these apps running on your device.
This is the second appearance of Joker malware on the Play Store. The previous incidence surfaced online earlier this month when Google removed six malicious Android applications.