The Joker virus is back on Android

Tenacious, the Joker malware has once again succeeded in thwarting the security of the Play Store. This time he hid himself in a fun and harmless SMS personalization application.

You will also be interested

[EN VIDÉO] Do our smartphones kill insects?
Insects are seriously threatened by pesticides, urbanization and intensive agriculture. But cell phone waves could also be harmful to them.

Impossible to get rid of it! The Joker virus which has been inviting itself for nearly four years in the Google application store was detected again last week. He is the cybersecurity specialist Pradeo who identified him in a application named Color Message. This application, which was designed to make the exchanges of SMS with its collection of emoticons, was deleted a few days ago from the Play Store. The problem was that it had had time to be downloaded over 500,000 times. Pradeo, who made it his  » autopsy », States that the viral load came to connect to Russian servers.

With such an application, Joker had an ideal container. To use it, you had to give it permissions to access contacts and message content, as well as to manage SMS. What to facilitate the collection of data to feed campaigns of phishing, for example. These same campaigns that allow us to retrieve identifiers and why not get their hands on the double factor protection code received by SMS exactly.

Terribly discreet

Likewise, control over the messaging application can allow the user to subscribe to paid services without him knowing it. via SMS. Yes the malware Joker keeps coming back to the Google gallery, it is very difficult to detect due to its small footprint. This summer, Joker had already been found in eight applications for Android. A lesser evil since it was previously present in hundreds of applications. Again, despite Google’s progress in matter security of its Play Store, it is better not to think outside the box and opt for notoriously reliable applications.

Android: the Joker virus is back and it affects 17 popular apps

For three years, this virus has regularly infected applications on the Play Store. The principle remains the same: spy on your personal data and then subscribe to paid services. Here is the list of the 17 infected applications that must be urgently uninstalled.

Article by Fabrice Auclert, published on 01/06/2021

It was thought to be gone, but the Joker virus continues to haunt the Google app store. Malware in force since 2017, it had been seen this summer, and here it is again which has just infected no less than 17 applications. Obviously, you have to uninstall them while Google has already deleted them from its Play Store.

They are researchers from the ThreatLabz team, from the cloud security company Zscaler, which identified the 17 infected applications, and as is the case every time, the virus is hiding in a component of an application that seems perfectly common and harmless. Joker then proceeds in several stages. First, as a Trojan horse, it is executed the first time the application is launched. It therefore loads in the background, and it then takes the opportunity to start the download of a much more harmful component.

Do not give access to your SMS or your directory

It is from there, always in the background and without it being detectable, that he begins his spy phase: SMS, contact lists, username and password seized … And the worst is yet to come since the malware is then able to subscribe the user to paid services! It is therefore necessary to monitor closely the applicationss who have access to SMS and contact lists, and especially not to give them access!

Often, the user answers « yes » to the different Windows without realizing that it thus makes available private functions of the phone that hackers can exploit. Another tip: look at the reviews published on an application before downloading them, but also the number ofstars. Infected applications are often unmasked by users.

Android: watch out for this virus that subscribes to paid services

As of 2017, Joker malware has infected Android apps, and eleven of them continue to trick users into forcing them to subscribe to paid services. This new variant manages to bypass Google’s validation and security steps.

Posted on 07/10/2020 by Fabrice Auclert

The game of cat and mouse continues between the pirates and the Google Play since the company Check Point discovered new traces of Joker, a malware identified in 2017, and thought to be eradicated. His speciality ? Hiding in classic and popular applications to activate payment for « in-app » services, such as paid options. All without the knowledge of the user.

This Thursday, the security experts of Check Point discovered its presence in eleven applications, and they accumulate 500,000 downloads. The most worrying thing is obviously that these eleven applications are available from the Play Store. This variant of Joker has found a new way to play the Trojans to hide in applications, and thus then become embedded in the smartphone. the malware is hidden in the manifest file that each developer must integrate into his application, and placed at the root of the application folder. It contains information about the author, logo, version, etc.

The malware hides during the validation phase

In this file, Joker places malicious code there, but it is encoded in base 64, and therefore not identifiable. While Google examines the file for l’application for its validation, the code is inactive. As soon as the validation is effective and the security checks are passed, then the hackers’ server launches the command hidden in this code and the malware can thus activate.

Alerted, Google immediately removed these apps from his store, but it is obviously recommended to uninstall them. These are ImageCompress, WithMe Texts, FriendSMS, Relax Relaxation, Cherry Messages, LovingLove Message, RecoveFiles, RemindMe Alarm, and Training Memory Game. It is also advisable to look at your bank account and verify that there have not been any fraudulent withdrawals.

Interested in what you just read?


Leave a Comment

Votre adresse e-mail ne sera pas publiée.