A malicious Android app has been found with more than 500,000 downloads from the Google Play store. The app contains malware that stealthily sends users’ contact lists to an attacker-controlled server and signs them up to unwanted paid premium subscriptions.
Joker malware has been found in an app called Color Message (“com.Guo.smscolor.message”), which has since been removed from the official play store. Additionally, it has been observed simulating clicks to generate revenue from malicious ads and connecting to Russian servers. Mobile security firm Pradeo said Color Message “accesses users’ contact lists and exfiltrates them over the network” in addition to automatically subscribing them to unwanted paid services. The application can hide its icon once installed to make it difficult to remove.” The developers behind Color Message state in their terms and conditions that they are committed to making the app as useful and efficient as possible. Therefore, we reserve the right to make changes to the app at any time and for any reason. We will never charge you without making it very clear to you what you’re paying for.”
Known as a notorious wallet exploit, Joker has been a notorious fleece are since its discovery in 2017. It is known to conduct a variety of malicious activities, including billing fraud and intercepting SMS messages, contact details, and device information without the user’s knowledge.
In an attempt to avoid detection, the rogue apps have continued to skirt Google Play protections using a barrage of evasion techniques to the point that Android’s Security and Privacy Team said the malware authors “have used just about every cloaking and obfuscation technique under the sun.”