The findings, disclosed by cybersecurity firm CSIS Security Group, reveal that the malware — called Joker — is designed to surreptitiously sign users up for premium service subscriptions, in addition to stealing the victim’s SMS messages, the contact list, and device information. In total, CSIS found 24 Android apps on Google Play (listed below) containing the trojan, racking up more than 472,000 downloads by unsuspecting Android users before Google eventually purged the infected software from its platform. Joker’s operators have specifically gone after victims in 37 countries, including Australia, China, Germany, India, Singapore, Switzerland, the UAE, the UK, and the US. According to CSIS, the malware not only obfuscates the modus operandi of delivering the actual malicious payload from the command-and-control (C&C) server owned by the attacker. It’s been programmed to generate “as little footprint as possible” by hiding within advertisement frameworks used in the apps. In addition to periodically requesting new commands from the C&C server, the trojan goes a step further by silently clicking on ads, and hijacks SMS messages that contain the authorization code to verify subscription payments. The apps in question are as follows:
Advocate Wallpaper Age Face Altar Message Antivirus Security – Security Scan Beach Camera Board picture editing Certain Wallpaper Climate SMS Collate Face Scanner Cute Camera Dazzle Wallpaper Declare Message Display Camera Great VPN Humour Camera Ignite Clean Leaf Face Scanner Mini Camera Print Plant scan Rapid Face Scanner Reward Clean Ruddy SMS Soby Camera Spark Wallpaper
If you have installed any of the apps mentioned above, it’s worth checking your transaction history to see if there are any suspicious payments that you don’t recognize. Also, make sure to closely scrutnize your permissions for every app installed on your Android device.