Over half a million Android users have installed an app used to deliver Joker malware after downloading it from the Google Play store.
Cybersecurity researchers at Pradeo identified the malware, which Google has now removed from its official Android app marketplace. Before its removal, the app, called ‘Color Message’, was downloaded by more than 500,000 Android users.
Advertised as an app that allowed users to personalise their default SMS messages, Color Message was a front to deliver Joker, one of the most prolific forms of Android malware.
SEE: A winning strategy for cybersecurity (ZDNet special report)
Once installed, the malware does three things: it simulates clicks in order to generate revenue from malicious ads; subscribes users to unwanted paid premium services to steal money and commit billing fraud; and accesses users’ contact lists and sends the information to attackers. Researchers suggest there’s evidence that stolen information is sent to servers hosted in Russia.
Negative reviews of the app on the Play Store suggest that some users have noticed the unauthorised behaviour, with complaints about being charged for services they didn’t request access to.
Google Play has protocols designed to stop malicious apps from being published. However, the developers of the malicious app managed to bypass them.
“By using as little code as possible and thoroughly hiding it, Joker generates a very discreet footprint that can be tricky to detect,” said Pradeo’s Roxane Suau.
Users who have downloaded Color Message from the Google Play Store have been urged to uninstall the app immediately.
This is far from the first time Joker has been detected in the Play Store – Pradeo says it has been found in hundreds of apps in the past two years, but given how persistent those are behind it, it’s likely they’ll try to distribute the malware again.
ZDNet has contacted Google for comment but is yet to receive a reply at the time of publication.