Google is taking stern action against malware-laced Android Apps on the play store. After receiving more than 3 million downloads, Google removed 8 apps from its Google Play store that were spreading a new variant of the Joker spyware.
The malware was found by French security researcher Maxime Ingrao of the cybersecurity company Evina. It can read SMS messages and subscribe customers to a premium service without their knowledge.
Toll fraud malware, more frequently known as Fleeceware, is the term used to describe malicious apps that sign up customers for premium services without their knowledge or agreement in order to rack up payment expenses.
Joker malware strikes Google Play Store.
According to Threat Post, Ingrao discovered eight applications on the site spreading Autolycos since June 2021. These apps had also received millions of downloads. Additionally, the Autolycos malware’s creators are exploiting Facebook pages, Instagram, and ads to spread the malware.
Hence, Ingrao compared the malware to Joker, spyware that surfaced in 2019. Joker also secretly enrolled users in premium services and stole their SMS messages.
Indeed, after closer inspection, Malwarebytes experts concluded that the malware is a fresh iteration of Joker, or what they call “Android/Trojan.” A Joker-Malwarebytes intelligence researcher, Pieter Arntz, made this statement in a blog post one day following Ingrao’s disclosure.
According to Malwarebytes, Joker was one of the first significant malware families to focus on Fleeceware. The malicious apps that spread the malware would use the advertisement frameworks to aggregate and serve in-app advertisements.
List of removed apps
- Vlog Star Video Editor (com.vlog.star.video.editor)
- Freeglow Camera 1.0.0 (com.glow.camera.open)
- Creative 3D Launcher (app.launcher.creative3d)
- Wow Beauty Camera (com.wowbeauty.camera)
- Gif Emoji Keyboard (com.gif.emoji.keyboard)
- Coco Camera v1.1 (com.toomore.cool.camera)
- Funny Camera by KellyTech
- Razer Keyboard & Theme by rxcheldiolola
differences between Autolycos and Joker
However, there are some differences between Autolycos and the original Joker. According to the report, Joker uses web views—or a piece of Web content, such as “a tiny section of the app screen, an entire page, or anything in between”—to perform its dirty work.
However, Autolycos avoids this by executing URLs on a remote browser and then including the result in HTTP requests. This process helps Autolycos escape detection even more adequately than the original Joker. Not requiring a WebView even reduces the chances that the user of an affected device notices something fishy is going on.
What are your thoughts on this? Comment down below.
