SMS Message Spying Joker Malware Infects 500K Users In 24 Android Apps On Google Play
The latest “Joker” spyware is no laughing matter as it can easily compromise a lot of the personal data you keep on your phone. Researchers recently discovered spyware that can access your SMS messages, contact list and other information. The spyware was found in over 24 Android apps on Google Play and has infected nearly 500,000 users.
The “Joker” spyware was originally detected this past June and was named after one of its command-and-control (C2) domain names. It can gain access to a victim’s SMS messages, contacts list, and other specific device information. It can also sign victims up for premium subscription services without their knowledge. The Joker is able to interact with an advertisement and enter an offer code. Since it has access to a user’s SMS messages, it simply waits for a confirmation code and then extracts it.
How does the Joker achieve this feat? According to software developer Aleksejs Kuprins, the spyware is a “small and a silent one”. It uses as little Java code as possible and has a number several layers of protection that make it hard to detect. For example, all of the infected apps have Mobile Country Codes (MCC) and can only attack devices in certain countries. A victim would need to have a SIM card from one of these countries to be affected by the spyware.
The security researchers also noted that the “malware also receives dynamic code and commands over HTTP and runs that code via JavaScript-to-Java callbacks.” These commands are not hard-coded into the app and are more difficult to detect. The Joker’s initialization process is also obscured by a “splash” screen. Victims are unable to determine what it is truly occurring when the splash screen is visible.
It is unclear where the spyware is originally from. Research noted that some of the spyware’s code was written in Chinese and therefore may have originated in China. Thankfully, all 24 apps have been removed from the Google Play store at the time of this publication.
Google also recently removed the popular CamScanner app from its app store. The app was harboring a malicious module called Trojan-Dropper.AndroidOS.Necro.n and bombarding users with ads. Although there were no data leaks, users were still incredibly annoyed by the module. A new, “clean” version of CamScanner will soon be released on Google Play.
The “Joker” spyware was originally detected this past June and was named after one of its command-and-control (C2) domain names. It can gain access to a victim’s SMS messages, contacts list, and other specific device information. It can also sign victims up for premium subscription services without their knowledge. The Joker is able to interact with an advertisement and enter an offer code. Since it has access to a user’s SMS messages, it simply waits for a confirmation code and then extracts it.
How does the Joker achieve this feat? According to software developer Aleksejs Kuprins, the spyware is a “small and a silent one”. It uses as little Java code as possible and has a number several layers of protection that make it hard to detect. For example, all of the infected apps have Mobile Country Codes (MCC) and can only attack devices in certain countries. A victim would need to have a SIM card from one of these countries to be affected by the spyware.
The security researchers also noted that the “malware also receives dynamic code and commands over HTTP and runs that code via JavaScript-to-Java callbacks.” These commands are not hard-coded into the app and are more difficult to detect. The Joker’s initialization process is also obscured by a “splash” screen. Victims are unable to determine what it is truly occurring when the splash screen is visible.
It is unclear where the spyware is originally from. Research noted that some of the spyware’s code was written in Chinese and therefore may have originated in China. Thankfully, all 24 apps have been removed from the Google Play store at the time of this publication.
Google also recently removed the popular CamScanner app from its app store. The app was harboring a malicious module called Trojan-Dropper.AndroidOS.Necro.n and bombarding users with ads. Although there were no data leaks, users were still incredibly annoyed by the module. A new, “clean” version of CamScanner will soon be released on Google Play.
