Cybersecurity firm CSIS Security Group has discovered a new Trojan lurking on Google Play Store. In a report released last week, the firm said that they detected the malware in 24 Play Store applications with more than 472,000 downloads each.
The malware CSIS referred to as the “Joker” steals a person’s SMS messages, contact list, and device information then simulate ad websites‘ interactions. These interactions include clicks and entering authorization codes for premium service subscriptions.
In Denmark, CSIS reported that the Joker was able to sign up unsuspecting victims for a 50 DKK/week service. According to the cybersecurity firm, the Joker is considered a “spy and premium subscription bot.”
Aleksejs Kuprins, a malware analyst at CSIS, explained how the Trojan works.
“This strategy works by automating the necessary interaction with the premium offer’s webpage, entering the operator’s offer code, then waiting for a SMS message with a confirmation code and extracting it using regular expressions. Finally, the Joker submits the extracted code to the offer’s webpage, in order to authorize the premium subscription.”
Google Purged Malware Apps
After identifying the malware-carrying applications, they were immediately removed from the Google Play Store. The apps include:
- Advocate Wallpaper
- Age Face
- Altar Message
- Antivirus Security – Security Scan
- Beach Camera
- Board picture editing
- Certain Wallpaper
- Climate SMS
- Collate Face Scanner
- Cute Camera
- Dazzle Wallpaper
- Declare Message
- Display Camera
- Great VPN
- Humour Camera
- Ignite Clean
- Leaf Face Scanner
- Mini Camera
- Print Plant scan
- Rapid Face Scanner
- Reward Clean
- Ruddy SMS
- Soby Camera
- Spark Wallpaper
CSIS also said that the Joker malware had been targeting countries located mostly in Europe and Asia. According to the security agency, the Trojan-ridden apps contain additional check to ensure that its payload will not be executed when they are running in the United States or Canada.
Thirty-seven countries have been targeted by the Joker attack, which includes Australia, France, Germany, India, Ireland, Italy, Kuwait, Singapore, Spain, Sweden, Thailand, Turkey, United Arab Emirates, United Kingdom, and the United States.
Aside from obscuring the “modus operandi” of delivering the malicious payload from the attacker’s command-and-control server, the Joker also generates unnoticeable footprints by hiding the ad frameworks used in the Android applications.
Google and CSIS are both encouraging people who have downloaded and installed the said applications to uninstall them immediately and be vigilant with approving app permissions.
Comments (0)
Least Recent