Android owners may want to check their phones. A cybersecurity company has discovered a handful of apps that embed Joker malware on Android phones. So far, more than 100,000 people have installed the software.
Pradeo, in a blog post Tuesday, warned users to remove “Smart Text Messages”, “Blood Pressure Monitor”, “Voice Languages Translator” and “Quick Text SMS” from their devices immediately. (Google has already removed all four apps from the Google Play Store.)
Joker is a kind of “fleeceware” that subscribes infected devices to unwanted paid services. It also sends text messages and calls to premium numbers without the phone owner’s knowledge, causing a high phone bill, which the hackers take a part in. The practice is also known as ‘toll fraud’.
“By using as little code as possible and hiding it thoroughly, Joker generates a very discreet footprint that can be difficult to detect. In the past three years, the malware was found hiding in thousands of apps,” Pradeo wrote. “Victims don’t notice the fraud until they receive their cell phone bill, possibly weeks after it started.”
The company says it recently found Joker in at least 11 other Android apps, even as Congress considers a bill that would force Apple and Google to let apps bypass their marketplaces in a practice called ‘sideloading’. In any case, the apps are programmed to install other applications on infected phones, which could add even more dangerous malware.
Joker, also known as Jocker, has been around for a while, but lately its footprint is growing. Researchers at security firm Kaspersky say the malware has become advanced enough that it can bypass bot detection mechanisms on paid service sites.
Once you install an app infected with the malware, it will ask for access to text messages and/or notifications, depending on the type of app it’s hiding in. Kaspersky notes that by accessing notifications, it can intercept confirmation codes in the text of messages, allowing it to subscribe to a paid service without the user’s knowledge.
Microsoft published a extended warning about Joker and other types of malware that contribute to toll fraud: “Toll fraud has been one of the most common forms of Android malware on the Google Play Store since 2017, when families like Joker and their variants first appeared. It accounted for 34.8% of the installed Potentially Harmful Applications (PHA) from the Google Play Store in the first quarter of 2022, and is second only to spyware.”
In their Google Play listings, the weaponized apps Pradeo discovered seemed legit enough. However, the company says there are a few steps users can take to protect themselves from future downloads with Joker hidden in the code.
Check the developer’s account first. If they only have one app, be extremely careful. (Once an app is banned, the hacker simply opens a new developer account.) Also look for red flags with the privacy policy. If it’s hosted on a Google Docs or Google Site page, that’s a warning sign. If it uses a stencil or is particularly short, stay away. And if it doesn’t reveal the full scope of activities the app can perform, then walk away.
Of course, this also requires you to read the privacy policy before installing the app, something very few people do.