During the last weeks of August this year, security experts and analysts had observed a new Trojan on GooglePlay. The experts were able to detect it in 24 apps with over 472,000+ installs in total. This new malware that was detected goes by the name “the Joker” (which was borrowed from one of the C&C domain names). It delivers a second stage component, that silently simulates the interaction with advertisement websites, steals the victim’s SMS messages, the contact list and device info.
It was also found that, The Joker malware only attacks targeted countries. According to the experts, most of the infected apps contain a list of Mobile Country Codes (MCC) and the victim has to be using a SIM card from one of these countries in order to receive the second stage payload.
All those app which were discovered containing the malware target the EU and Asian countries, however, some apps allow for any country to join. Additionally, most of the discovered apps have an additional check, which will make sure that the payload won’t execute when running within the US or Canada.
The entire list of 37 targeted countries include: Australia, Austria, Belgium, Brazil, China, Cyprus, Egypt, France, Germany, Ghana, Greece, Honduras, India, Indonesia, Ireland, Italy, Kuwait, Malaysia, Myanmar, Netherlands, Norway, Poland, Portugal, Qatar, Republic of Argentina, Serbia, Singapore, Slovenia, Spain, Sweden, Switzerland, Thailand, Turkey, Ukraine, United Arab Emirates, United Kingdom and the United States.
A few unsuspecting and greedy individuals hire mobile app developers to help them build non-complying, untrustworthy, and sometimes bogus apps, solely with the purpose of stealing the users’ data and selling it to third parties.
Google has removed the offending apps from the Google Play store which managed to rack up more than 472,000 total downloads before they were excommunicated. If by chance you have any of these apps installed on your own Android phone or tablet, or worse, if you actively use them, this is the time to delete and uninstall them without blinking an eye.
If you have either one of these apps installed on your Android device, delete them right away.
Advocate Wallpaper
Age Face
Altar Message
Antivirus Security - Security Scan
Beach Camera
Board picture editing
Certain Wallpaper
Climate SMS
Collate Face Scanner
Cute Camera
Dazzle Wallpaper
Declare Message
Display Camera
Great VPN
Humour Camera
Ignite Clean
Leaf Face Scanner
Mini Camera
Print Plant scan
Rapid Face Scanner
Reward Clean
Ruddy SMS
Soby Camera
Spark Wallpaper
Final notes
This trojan has been found using significantly stealthy tactics to undertake heavily malicious activities on Google Play, while lying dormant silently within the advertisement frameworks and not exposing too much of its malicious code out in the open.
One of the earliest recorded occurrence of the Joker in the wild that can be pinpointed comes from DNS metadata. This suggests that the Joker malware family has begun its recent campaigns in early June 2019.
But, when the researchers dug deeper, some of the major version digits in the build names provided a different picture. It gave an impression of life cycle that was slightly longer and has potentially more campaigns in the past.
Even though the volume of apps that were affected were considerably less, Google is already to be on top of this threat as much as it is possible. A good amount of apps do rack up 100,000+ installs before they get removed, however, the install number can always be artificial to some degree due to the common astroturfing practices.
Google has been constantly removing all of these apps.. It is highly recommended that users pay close attention to the permission list in the apps which they install on their Android devices. Also make sure you trust the Android app development company who is behind the app development.
There is no clear description as to why a certain app needs a particular permission, meaning that whenever you are downloading any app, you still put a certain amount of trust in your gut feeling.
It was also found that, The Joker malware only attacks targeted countries. According to the experts, most of the infected apps contain a list of Mobile Country Codes (MCC) and the victim has to be using a SIM card from one of these countries in order to receive the second stage payload.
All those app which were discovered containing the malware target the EU and Asian countries, however, some apps allow for any country to join. Additionally, most of the discovered apps have an additional check, which will make sure that the payload won’t execute when running within the US or Canada.
The entire list of 37 targeted countries include: Australia, Austria, Belgium, Brazil, China, Cyprus, Egypt, France, Germany, Ghana, Greece, Honduras, India, Indonesia, Ireland, Italy, Kuwait, Malaysia, Myanmar, Netherlands, Norway, Poland, Portugal, Qatar, Republic of Argentina, Serbia, Singapore, Slovenia, Spain, Sweden, Switzerland, Thailand, Turkey, Ukraine, United Arab Emirates, United Kingdom and the United States.
A few unsuspecting and greedy individuals hire mobile app developers to help them build non-complying, untrustworthy, and sometimes bogus apps, solely with the purpose of stealing the users’ data and selling it to third parties.
Google has removed the offending apps from the Google Play store which managed to rack up more than 472,000 total downloads before they were excommunicated. If by chance you have any of these apps installed on your own Android phone or tablet, or worse, if you actively use them, this is the time to delete and uninstall them without blinking an eye.
If you have either one of these apps installed on your Android device, delete them right away.
Advocate Wallpaper
Age Face
Altar Message
Antivirus Security - Security Scan
Beach Camera
Board picture editing
Certain Wallpaper
Climate SMS
Collate Face Scanner
Cute Camera
Dazzle Wallpaper
Declare Message
Display Camera
Great VPN
Humour Camera
Ignite Clean
Leaf Face Scanner
Mini Camera
Print Plant scan
Rapid Face Scanner
Reward Clean
Ruddy SMS
Soby Camera
Spark Wallpaper
Final notes
This trojan has been found using significantly stealthy tactics to undertake heavily malicious activities on Google Play, while lying dormant silently within the advertisement frameworks and not exposing too much of its malicious code out in the open.
One of the earliest recorded occurrence of the Joker in the wild that can be pinpointed comes from DNS metadata. This suggests that the Joker malware family has begun its recent campaigns in early June 2019.
But, when the researchers dug deeper, some of the major version digits in the build names provided a different picture. It gave an impression of life cycle that was slightly longer and has potentially more campaigns in the past.
Even though the volume of apps that were affected were considerably less, Google is already to be on top of this threat as much as it is possible. A good amount of apps do rack up 100,000+ installs before they get removed, however, the install number can always be artificial to some degree due to the common astroturfing practices.
Google has been constantly removing all of these apps.. It is highly recommended that users pay close attention to the permission list in the apps which they install on their Android devices. Also make sure you trust the Android app development company who is behind the app development.
There is no clear description as to why a certain app needs a particular permission, meaning that whenever you are downloading any app, you still put a certain amount of trust in your gut feeling.