A popular smartphone virus that subscribes Android users to premium services without their consent keeps appearing in the Google Play app store, new research shows.
A malware application known as the Joker family or “Bread” keeps reappearing in the Google Play store despite its known presence and threat to users’ bank accounts, researchers at cybersecurity company Check Point Research discovered.
“It’s a sort of malware that has the ability to subscribe a victim to a premium service without consent,” Aviran Hazam, Check Point’s head of mobile threat intelligence, told FOX Business. “A premium service is a service you subscribe to that you have to pay for on a weekly or daily basis, like a fact-of-the-day or horoscope app.”
Check Point discovered four malicious Joker apps downloaded more than 130,000 times.
First, Joker identifies victims’ geographic locations and phone numbers. Then, Joker identifies the premium services available near the users’ locations. Next, the malware subscribes victims up for a service using victims’ phone numbers.
When the service sends a verification code text message to the users’ phone numbers, Joker has the ability to hide that verification message from the victims and inserts the required code. Meanwhile, Joker remains hidden on users’ devices.
The only way for victims to unsubscribe for these premium services is to notice unrecognizable charges to their banks and manually cancel the subscriptions.
Hazam said that Joker’s exact goals aren’t known to Check Point, but it is likely that “they gave some sort of financial connection” to the services to which it subscribes its victims.
Google confirmed to FOX Business that it has taken down the malicious apps. The tech giant took down 1,700 unique Joker apps from Google Play before they were ever downloaded by users, according to a Jan. 9 blog post.
Joker has “used just about every cloaking and obfuscation technique under the sun in an attempt to go undetected,” the blog post reads. “Many of these samples appear to be designed specifically to attempt to slip into the Play Store undetected and are not seen elsewhere.”
Google said in a more recent blog post that it has “stopped over 790,000 policy-violating app submissions before they were ever published to the Play Store” since it released a new policy in 2018 to stop apps from accessing victims’ private messaging and call log data.
“Google has been putting many resources into fighting this,” Hazam said, adding that the issue is still present in the Google Play store and extremely persistent.
“The much bigger threat in this area is the persistence in which we observe how the Joker family keeps infiltrating Google Play,” Hazam explained. “If you remove one app, another will show up. Joker keeps infiltrating Google Play on a daily or weekly basis.”
Check Point also discovered relatively new “clicker” malware, or viruses that mimic user “clicks” on advertisements, called “Hacken” and “BearCloud” on Google Play. The research company said it found an increase in activity and scale of Hacken and BearCloud operations with 47 new apps available on Google Play that were downloaded more than 78 million times by users.
“The Haken malware family was installed on over 50,000 Android devices by eight different malicious apps, which all appeared to be benign,” Ran Schwartz, Check Point threat prevention product manager, said in a statement. “The apps were mostly camera utilities and children’s games,”
Those applications have been removed from Google Play too, he said.
But this does highlight that despite ongoing efforts to secure the Google Play Store against malicious apps, completely eliminating the risk of users getting a malicious download from the store is not going to happen quickly,” Schwartz said. “There are nearly 3 million apps available from the store, with hundreds of new apps being uploaded daily, which makes it difficult to check every single app is safe.”