There have recently been reports that the Google Play Store has become a safe home for trojanized applications distributing Joker malware to the Android devices that are compromised.
A large number of cybercriminals earn their income from fraud in the charge of billing. A number of Trojans are currently known to secretly subscribe users to paid services through mobile devices.
The apps have been continually iterated to find gaps in Google’s app defenses and have managed to slip into the app store unnoticed despite ongoing efforts on the part of Google.
It is common for trojanized apps to impersonate their removed counterparts by appearing as:-
- Messaging apps
- Health trackers
- PDF scanners
As soon as these applications have been installed, they will request certain permissions to access text messages. Once done, then they make the users subscribe to the premium services and charge them.
Jocker: Text Message Thief
Various Trojan programs in the Trojan.AndroidOS.Jocker family can intercept SMS codes and circumvent anti-fraud resolutions. When trojanized apps are used in order to accomplish their original purposes, the user might not suspect that the apps are malicious.
The Trojan watches whether the program has gone live on Google Play to bypass the vetting process. When the app is stalling at the vetting phase, the malicious payload remains dormant.
There is an endless stream of trojanized apps being removed from the store each and every day, yet there are still new ones continuously flooding it to replace them.
Most Attacked Countries
The most frequently attacked users by Jocker were in Saudi Arabia (21.20%) between January 2021 and March 2022. While among the top countries, Poland ranks second (8.98%), followed by Germany (6.01%).
Here below we have listed the top 10 countries attacked by Joker:-
- Saudi Arabia (21.20%)
- Poland (8.98%)
- Germany (6.01%)
- Malaysia (5.71%)
- The United Arab Emirates (5.50%)
- Switzerland (5.10%)
- South Africa (4.12%)
- Austria (3.96%)
- Russia (3.53%)
- China (2.91%)
As of the end of February 2022, Kaspersky had detected Joker infection in three applications, and here they are mentioned below:-
- Style Message (com.stylelacat.messagearound),
- Blood Pressure App (blood.maodig.raise.bloodrate.monitorapp.plus.tracker.tool.health)
- Camera PDF Scanner (com.jiao.hdcam.docscanner)
Subscription trojans have previously appeared on app marketplaces, but this is not the first time we have seen them. For example, an aggressive money-making scheme known as GriftHorse was announced in September 2021 by Zimperium.
Although it is advisable to download apps through official app stores, it is also recommended to review the following checks:-
- Read the reviews
- Check the legitimacy of the developers
- Permissions requested