For as many people as it employs, Google can’t stop every malicious app from sneaking its way onto Google Play. That’s why security researchers are such a hugely valuable resource. For example, earlier this week, the cloud security company Zscaler revealed that Google recently banned a whopping 52 malware-laced Android apps from the store.
Google bans malware-infested Android apps
In a recent blog post, Zscaler explained that its ThreatLabz team found apps in Google Play infected with three different malware families in recent months. The malware families were Joker, Facestealer, and Coper, some of which we’ve covered in the past.
The team immediately told Google about the apps and the company has since removed each of them from the Play store. But that was only after hundreds of thousands of Android users had downloaded the apps onto their phones and tablets.
Of the 52 apps, 50 contained the prominent Joker malware. As Zscaler notes, the malware is so persistent because attackers modify its trace signatures. By updating the code, execution methods, and payload-retrieval techniques, attackers are able to skirt Google’s security. This is despite the fact that Joker is one of the most well-known malware families.
If you want to see a full list of Joker-infected apps, check out Zscaler’s blog post. If you have any of those apps on your phone, delete them immediately.
Zscaler’s breakdown of the Joker apps shows that a majority fall into the “communication” category. It might be tempting to try out a brand new messaging app, but unless you know and trust the developer, you really shouldn’t risk it. Most of the other infected apps fall into the tools category (PDF scanners, translators, etc.).
Technical analysis and other malware families
Zscaler offered a detailed technical analysis of one app containing the Joker malware. Here’s a snippet that might help you avoid becoming a victim yourself:
Most commonly, threat actors disguise the Joker malware in messaging applications that require users to grant escalated access permissions by allowing them to serve as the default SMS app on the user’s phone. The malware uses these advanced permissions to carry out its operations.
The other apps Zscaler listed on its blog were Vanilla Camera and Unicc QR Scanner. Vanilla Camera contains the Facestealer malware, which prompts users to log in to Facebook. Once they do, the app steals their credentials and authentication tokens. Unicc QR Scanner, on the other hand, is infected with Coper, which is a trojan capable of intercepting and sending SMS texts, keylogging, locking devices, preventing uninstalls, and more.
Google might have banned these apps, but more appear on Google Play every day. Always be vigilant when downloading apps from any app store.