An Android app with more than half a million downloads from the Google Play app store has been discovered hosting malware that secretly transmits users’ contact lists to an attacker-controlled server and signs them up for expensive subscriptions without their knowledge.
Cybersecurity researchers at Pradeo discovered the Joker malware in a messaging-focused app called Color Message which Google has now removed from its official Android app marketplace. The malicious app claimed to make user SMS texting more fun with new emojis. In addition, the researchers have observed the Joker malware replicating clicks in order to generate revenue from malicious ads and connecting to servers hosted in Russia.
“Our analysis of the Color Message application through the Pradeo Security engine shows that it accesses users’ contact list and exfiltrates it over the network,” mobile security firm Pradeo stated.
“Simultaneously, the application automatically subscribes to unwanted paid services unbeknownst to users. To make it difficult to be removed, the application has the capability to hide its icon once installed.”
The reviews of the malicious app on the Play Store indicated that some users have observed the unauthorized behavior, with complaints about being charged for services they didn't request access to. Google Play Store has already banned the app from the store. However, the app still poses security concerns for those users who had downloaded it in the past and are advised by researchers to uninstall the app immediately.
Joker, since its discovery in 2017, has been a notorious fleeceware that is hard to notice because of the tiny footprint of its code and the techniques its developers use to stash it. Over the past few years, the malware has been identified lurking in hundreds of apps downloaded by millions of people and performing an array of malicious activities, including billing fraud and intercepting SMS messages, contact details, and device information of users.
"We are [sic] committed to ensuring that the app is as useful and efficient as possible. For that reason, we reserve the right to make changes to the app or to charge for its services, at any time and for any reason. We will never charge you for the app or its services without making it very clear to you exactly what you're paying for,” the developers behind Color Message state in their terms and conditions.