11 Google Play apps infected with nasty Android malware: What to do

News
By last updated

The malware signs users up to premium subscriptions

google play store on an Android mobile phone
(Image credit: aizaq abdullah / Shutterstock.com)

A new variant of the Joker dropper and premium dialer malware recently made its way into 11 apps in the Google Play Store, reports information-security firm Check Point.

According to Check Point's report, released today (July 9), the creators of Joker have updated its code to enable it to get around Google Play security measures and infect Android devices yet again.

Checkpoint researchers said the latest variant of Joker hid in “seemingly legitimate applications” and installed “additional” malware onto the devices of unsuspecting users.

They explained that the malware then “subscribes the user to premium services without their knowledge or consent.” 

The latest strain of Joker was found in 11 different apps, including a flower wallpapers app, a file-recovery app, an alarm app, a memory game and several apps that offered cheery messages or relaxation. All were removed from the Google Play store by April 30, according to a Check Point press release.

Leveraging old tactics

To avoid detection of the malware, Joker’s creators usually make small changes to the code. For example, 24 apps were booted from Google Play in September 2019 for harboring Joker.

But the Check Point researchers said that this time around, the malware developers “adopted an old technique from the conventional PC threat landscape and used it in the mobile app world.”

“To realize the ability of subscribing app users to premium services without their knowledge or consent, the Joker utilized two main components – the Notification Listener service that is part of the original application, and a dynamic dex file loaded from the C&C server to perform the registration of the user to the services,” wrote the researchers. 

The researchers said Joker’s creators “hid the dynamically loaded dex file from sight while still ensuring it is able to load”, a method they said is usually adopted by cyber crooks developing Windows malware. 

“This new variant now hides the malicious dex file inside the application as Base64 encoded strings, ready to be decoded and loaded.”

What to do if you're infected

For users who have downloaded an infected app onto their device, Check Point recommends that they uninstall it; review their bank statements to see if any payments for unfamiliar subscriptions have come out of their account; and use one of the best Android antivirus apps.

A full list of the Android package names is below. These package names don't always correspond to what the app is called in Google Play or app stores, however. 

  • com.imagecompress.android
  • com.contact.withme.texts
  • com.hmvoice.friendsms
  • com.relax.relaxation.androidsms
  • com.cheery.message.sendsms
  • com.cheery.message.sendsms
  • com.peason.lovinglovemessage
  • com.file.recovefiles
  • com.LPlocker.lockapps
  • com.remindme.alram
  • com.training.memorygame
Nicholas Fearn

Nicholas Fearn is a freelance technology journalist and copywriter from the Welsh valleys. His work has appeared in publications such as the FT, the Independent, the Daily Telegraph, The Next Web, T3, Android Central, Computer Weekly, and many others. He also happens to be a diehard Mariah Carey fan!