Technology 2 min read

24 Trojan-Infected Apps Got Removed From Google Play Store

ymgerman /

ymgerman /

Cybersecurity firm CSIS Security Group has discovered a new Trojan lurking on Google Play Store. In a report released last week, the firm said that they detected the malware in 24 Play Store applications with more than 472,000 downloads each.

The malware CSIS referred to as the “Joker” steals a person’s SMS messages, contact list, and device information then simulate ad websites‘ interactions. These interactions include clicks and entering authorization codes for premium service subscriptions.

In Denmark, CSIS reported that the Joker was able to sign up unsuspecting victims for a 50 DKK/week service. According to the cybersecurity firm, the Joker is considered a “spy and premium subscription bot.”

Aleksejs Kuprins, a malware analyst at CSIS, explained how the Trojan works.

“This strategy works by automating the necessary interaction with the premium offer’s webpage, entering the operator’s offer code, then waiting for a SMS message with a confirmation code and extracting it using regular expressions. Finally, the Joker submits the extracted code to the offer’s webpage, in order to authorize the premium subscription.”

Google Purged Malware Apps

After identifying the malware-carrying applications, they were immediately removed from the Google Play Store. The apps include:

  • Advocate Wallpaper
  • Age Face
  • Altar Message
  • Antivirus Security – Security Scan
  • Beach Camera
  • Board picture editing
  • Certain Wallpaper
  • Climate SMS
  • Collate Face Scanner
  • Cute Camera
  • Dazzle Wallpaper
  • Declare Message
  • Display Camera
  • Great VPN
  • Humour Camera
  • Ignite Clean
  • Leaf Face Scanner
  • Mini Camera
  • Print Plant scan
  • Rapid Face Scanner
  • Reward Clean
  • Ruddy SMS
  • Soby Camera
  • Spark Wallpaper

CSIS also said that the Joker malware had been targeting countries located mostly in Europe and Asia. According to the security agency, the Trojan-ridden apps contain additional check to ensure that its payload will not be executed when they are running in the United States or Canada.

Thirty-seven countries have been targeted by the Joker attack, which includes Australia, France, Germany, India, Ireland, Italy, Kuwait, Singapore, Spain, Sweden, Thailand, Turkey, United Arab Emirates, United Kingdom, and the United States.

Aside from obscuring the “modus operandi” of delivering the malicious payload from the attacker’s command-and-control server, the Joker also generates unnoticeable footprints by hiding the ad frameworks used in the Android applications.

Google and CSIS are both encouraging people who have downloaded and installed the said applications to uninstall them immediately and be vigilant with approving app permissions.

Read More: New Google Play Store Malware Avoids SMS Two-Factor Authentication

First AI Web Content Optimization Platform Just for Writers

Found this article interesting?

Let Chelle Fuertes know how much you appreciate this article by clicking the heart icon and by sharing this article on social media.

Profile Image

Chelle Fuertes

Chelle is the Product Management Lead at INK. She's an experienced SEO professional as well as UX researcher and designer. She enjoys traveling and spending time anywhere near the sea with her family and friends.

Comments (0)
Most Recent most recent
share Scroll to top

Link Copied Successfully

Sign in

Sign in to access your personalized homepage, follow authors and topics you love, and clap for stories that matter to you.

Sign in with Google Sign in with Facebook

By using our site you agree to our privacy policy.