[ad_1]
Image: Zscaler
special feature
Securing your mobile business
Mobile devices continue their march to become powerful productivity machines. But they are also significant security risks if not managed properly. We analyze the latest insights and best practices to protect the mobile workforce.
read more
Google has removed 17 Android apps from the official Play Store this week. All 17 apps, detected by Zscaler security researchers, were infected with the Joker (also known as Bread) malware.
“This spyware is designed to steal SMS messages, contact lists and device information, as well as silently logging the victim for premium wireless application protocol (WAP) services,” Zscaler security researcher Viral said this week. Gandhi.
All 17 malicious apps were uploaded to the Play Store this month and didn’t have a chance to gain followers as they were downloaded over 120,000 times before being detected.
The names of the 17 applications were:
- Every good PDF scanner
- Mint Leaf Message – Your Private Message
- Unique keyboard – free stylish fonts and emoticons
- Tangram app crash
- Direct messenger
- Private SMS
- One Sentence Translator – Multifunctional Translator
- Photo collage style
- Meticulous scanner
- Desire Translate
- Talent Photo Editor – Defocused focus
- Care message
- Part Message
- Paper document scanner
- Blue scanner
- Hummingbird PDF Converter – Photo to PDF
- Every good PDF scanner
Following its internal procedures, Google removed the apps from the Play Store, used the Play Protect service to disable the apps on the infected devices, but users still have to manually intervene and remove the apps from their devices.
Joker is the bane of the Play Store
But this recent takedown also marks the third such action by Google’s security team against a batch of Joker-infected apps in recent months.
Google removed six of those apps earlier this month after Pradeo security researchers spotted and reported them.
Before that, in July, Google removed another batch of Joker-infected apps discovered by Anquanke security researchers. This batch had been active since March and had managed to infect millions of devices.
The way these infected applications often escape Google’s defenses and reach the Play Store is through a technique called “eyedropper”, in which the victim’s device is infected in a multi-stage process.
The technique is fairly simple, but difficult to defend, from Google’s perspective.
Malware authors start by cloning the functionality of a legitimate app and uploading it to the Play Store. This application is fully functional, it requests access to dangerous permissions, but it also does not perform malicious actions when it is run for the first time.
Because malicious actions generally take hours or days, Google’s security scans do not detect malicious code, and Google generally allows the application to appear on the Play Store.
But once on a user’s device, the application eventually downloads and “drops” (hence the name droppers or loaders) other components or applications on the device that contain the Joker malware or other strains of malware.
The Joker family, which Google tracks internally as Bread, has been one of the most ardent users of the dropper technique. This, in turn, has allowed Joker to reach the Play Store, the Holy Grail of most malware operations, more than many other malware groups.
In January, Google published a blog post describing Joker as one of the most persistent and advanced threats it has faced in recent years. Google said its security teams had removed more than 1,700 apps from the Play Store since 2017.
But Joker is much more widespread than that, and it’s also found in apps loaded on third-party Android app stores.
In total, Anquanke said it has detected more than 13,000 Joker samples since the malware was first discovered in December 2016.
Protection against Joker is difficult, but if users show some caution when installing apps with broad permissions, they can avoid getting infected.
In other Android security news
Bitdefender reported a batch of malicious applications to Google’s security team. Some of these apps are still available on the Play Store. Bitdefender did not reveal the name of the applications, but only the names of the developer accounts from which they were uploaded. Users who have installed applications from these developers should remove them immediately.
- Nouvette
- Piastos
- Progster
- imirova91
- StokeGroove
- Volkavstune
ThreatFabric also published a report on the disappearance of the Cerberus malware and the rise of the Alien malware, which contains credential stealing functions for 226 applications.
