threatpost.com
Open in
urlscan Pro
35.173.160.135
Public Scan
Submitted URL: https://threatpost.com/malicious-joker-app-downloads-google-play/177139///
Effective URL: https://threatpost.com/malicious-joker-app-downloads-google-play/177139/
Submission: On December 22 via api from US — Scanned from DE
Effective URL: https://threatpost.com/malicious-joker-app-downloads-google-play/177139/
Submission: On December 22 via api from US — Scanned from DE
Form analysis 4 forms found in the DOM
POST /malicious-joker-app-downloads-google-play/177139/#gf_5
<form method="post" enctype="multipart/form-data" target="gform_ajax_frame_5" id="gform_5" action="/malicious-joker-app-downloads-google-play/177139/#gf_5">
<div class="gform_body">
<ul id="gform_fields_5" class="gform_fields top_label form_sublabel_below description_below">
<li id="field_5_8" class="gfield field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_8"></label>
<div class="ginput_container ginput_container_text"><input name="input_8" id="input_5_8" type="text" value="" class="medium" placeholder="Your name" aria-invalid="false"></div>
</li>
<li id="field_5_1" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_1"><span class="gfield_required">*</span></label>
<div class="ginput_container ginput_container_email">
<input name="input_1" id="input_5_1" type="text" value="" class="medium" placeholder="Your e-mail address" aria-required="true" aria-invalid="false">
</div>
</li>
<li id="field_5_9" class="gfield js-kaspersky-gform-recaptcha-placeholder gform_hidden field_sublabel_below field_description_below gfield_visibility_hidden"><input name="input_9" id="input_5_9" type="hidden" class="gform_hidden"
aria-invalid="false" value=""></li>
<li id="field_5_2" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label"><span class="gfield_required">*</span></label>
<div class="ginput_container ginput_container_checkbox">
<ul class="gfield_checkbox" id="input_5_2">
<li class="gchoice_5_2_1">
<input name="input_2.1" type="checkbox" value="I agree" id="choice_5_2_1">
<label for="choice_5_2_1" id="label_5_2_1">I agree to my personal data being stored and used to receive the newsletter</label>
</li>
</ul>
</div>
</li>
<li id="field_5_5" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label"><span class="gfield_required">*</span></label>
<div class="ginput_container ginput_container_checkbox">
<ul class="gfield_checkbox" id="input_5_5">
<li class="gchoice_5_5_1">
<input name="input_5.1" type="checkbox" value="I agree" id="choice_5_5_1">
<label for="choice_5_5_1" id="label_5_5_1">I agree to accept information and occasional commercial offers from Threatpost partners</label>
</li>
</ul>
</div>
</li>
<li id="field_5_10" class="gfield gform_validation_container field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_10">Phone</label>
<div class="ginput_container"><input name="input_10" id="input_5_10" type="text" value=""></div>
<div class="gfield_description" id="gfield_description__10">This field is for validation purposes and should be left unchanged.</div>
</li>
</ul>
</div>
<div class="gform_footer top_label"> <input type="submit" id="gform_submit_button_5" class="gform_button button" value="Subscribe" onclick="if(window["gf_submitting_5"]){return false;} window["gf_submitting_5"]=true; "
onkeypress="if( event.keyCode == 13 ){ if(window["gf_submitting_5"]){return false;} window["gf_submitting_5"]=true; jQuery("#gform_5").trigger("submit",[true]); }" style="display: none;"> <input
type="hidden" name="gform_ajax" value="form_id=5&title=&description=&tabindex=0">
<input type="hidden" class="gform_hidden" name="is_submit_5" value="1">
<input type="hidden" class="gform_hidden" name="gform_submit" value="5">
<input type="hidden" class="gform_hidden" name="gform_unique_id" value="">
<input type="hidden" class="gform_hidden" name="state_5" value="WyJbXSIsImIwODQwZTA2ZGQ0NzYwODcyOTBkZjNmZDM1NDk2Y2ZkIl0=">
<input type="hidden" class="gform_hidden" name="gform_target_page_number_5" id="gform_target_page_number_5" value="0">
<input type="hidden" class="gform_hidden" name="gform_source_page_number_5" id="gform_source_page_number_5" value="1">
<input type="hidden" name="gform_field_values" value="">
</div>
</form>GET https://threatpost.com/
<form class="c-site-search__form" role="search" method="get" action="https://threatpost.com/">
<input type="text" class="c-site-search__field" name="s" placeholder="Search">
<button type="submit" class="c-button c-button--secondary c-button--smaller c-site-search__button" value="Search"><svg class="icon fill">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://threatpost.com/wp-content/themes/threatpost-2018/assets/sprite/icons.svg#icon-search"></use>
</svg> Search</button>
<div class="c-site-search__overlay"></div>
</form>POST https://threatpost.com/wp-comments-post.php
<form action="https://threatpost.com/wp-comments-post.php" method="post" id="commentform" class="comment-form">
<div class="o-row">
<div class="o-col-12@md">
<div class="c-form-element"><textarea id="comment" name="comment" cols="45" rows="8" aria-required="true" placeholder="Write a reply..."></textarea></div>
</div>
</div>
<div class="o-row">
<div class="o-col-6@md">
<div class="c-form-element"><input id="author" name="author" placeholder="Your name" type="text" value="" size="30"></div>
</div>
<div class="o-col-6@md">
<div class="c-form-element"><input id="email" name="email" placeholder="Your email" type="text" value="" size="30"></div>
</div>
</div>
<p class="form-submit"><input name="submit" type="submit" id="submit" class="c-button c-button--primary" value="Send Comment"> <input type="hidden" name="comment_post_ID" value="177139" id="comment_post_ID">
<input type="hidden" name="comment_parent" id="comment_parent" value="0">
</p>
<p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="b30f7f0444"></p><!-- the following input field has been added by the Honeypot Comments plugin to thwart spambots -->
<input type="hidden" id="vfuLzWaGLSEkyRdVQNszgxXvu" name="ohOlcNUkUTA1T7AfECMnoDb9C">
<script type="text/javascript">
document.addEventListener("input", function(event) {
if (!event.target.closest("#comment")) return;
var captchaContainer = null;
captchaContainer = grecaptcha.render("recaptcha-submit-btn-area", {
"sitekey": "6LfsdrAaAAAAAMVKgei6k0EaDBTgmKv6ZQrG7aEs",
"theme": "standard"
});
});
</script>
<script src="https://www.google.com/recaptcha/api.js?hl=en&render=explicit" async="" defer=""></script>
<div id="recaptcha-submit-btn-area"> </div>
<noscript>
<style type="text/css">
#form-submit-save {
display: none;
}
</style>
<input name="submit" type="submit" id="submit-alt" tabindex="6" value="Submit Comment">
</noscript><textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100" style="display: none !important;"></textarea><input type="hidden" id="ak_js" name="ak_js" value="1640202184029">
</form>GET https://threatpost.com/
<form class="c-site-search__form" role="search" method="get" action="https://threatpost.com/">
<input type="text" class="c-site-search__field" name="s" placeholder="Search">
<button type="submit" class="c-button c-button--secondary c-button--smaller c-site-search__button" value="Search"><svg class="icon fill">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://threatpost.com/wp-content/themes/threatpost-2018/assets/sprite/icons.svg#icon-search"></use>
</svg> Search</button>
<div class="c-site-search__overlay"></div>
</form>Text Content
Newsletter
SUBSCRIBE TO OUR THREATPOST TODAY NEWSLETTER
Join thousands of people who receive the latest breaking cybersecurity news
every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn
Park, Woburn, MA 01801. Detailed information on the processing of personal data
can be found in the privacy policy. In addition, you will find them in the
message confirming the subscription to the newsletter.
*
* *
*
* *
* I agree to my personal data being stored and used to receive the
newsletter
* *
* I agree to accept information and occasional commercial offers from
Threatpost partners
* Phone
This field is for validation purposes and should be left unchanged.
This iframe contains the logic required to handle Ajax powered Gravity Forms.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn
Park, Woburn, MA 01801. Detailed information on the processing of personal data
can be found in the privacy policy. In addition, you will find them in the
message confirming the subscription to the newsletter.
Threatpost
* Cloud Security
* Malware
* Vulnerabilities
* InfoSec Insiders
* Webinars
*
*
*
*
*
*
*
Search
* Brand-New Log4Shell Attack Vector Threatens Local HostsPrevious article
* Spider-Man Movie Release Frenzy Bites Fans with Credit-Card HarvestingNext
article
MALICIOUS JOKER APP SCORES HALF-MILLION DOWNLOADS ON GOOGLE PLAY
Author: Tara Seals
December 17, 2021 2:23 pm
2 minute read
Write a comment
Share this article:
*
*
Joker malware was found lurking in the Color Message app, ready to fleece
unsuspecting users with premium SMS charges.
The Joker malware is back again on Google Play, this time spotted in a mobile
application called Color Message. The app was downloaded more than 500,000 times
before its removal from the store.
Users should immediately delete Color Message from their devices to avoid being
defrauded, researchers at Pradeo Security warned.
Joker is a persistent threat that’s been kicking around since 2017, hiding
itself within legitimate-seeming, common application types like games,
messengers, photo editors, translators and wallpapers, many of them aimed at
children. But once installed, Joker apps subscribe victims to unwanted, paid
premium services controlled by the attackers – a type of billing fraud that
researchers categorize as “fleeceware.” Often, the victim is none the wiser
until the mobile bill arrives.
In the worst cases, the apps also exfiltrate contact lists and device
information and can hide their icons from the home screen – which is the case
with Color Message, Pradeo researchers said, adding that the application
appeared to be making connections to Russian servers.
Color Message purported to offer the ability to jazz up messaging with a range
of fun emojis and screen overlays.
Source: Pradeo.
“It makes texting easy, fun and beautiful,” according to its Google Play
listing, captured by Pradeo before the takedown. “Customize the theme quickly.
The Color Message application has unique technology that can help you
personalize your default SMS messenger.”
Interestingly, it also had 1,800+ reviews, with an average rating of four stars
– though the more recent reviews tended towards the scathing, such as
“misleading ad and worst app ever.”
“The application’s very concise terms and conditions are hosted on an unbranded
one-page blog and do not disclose the extent of the actions the app can perform
on users’ devices,” according to the Pradeo writeup. “One of the victims has
even tried reaching out to the application’s developer through the comment
section of the legal page, other users are directly complaining about the fraud
in the comment section of the app on the store.”
JOKER, AN EVERGREEN MALWARE THREAT
Malicious Joker apps are commonly found outside of the official Google Play
store, but they’ve continued to skirt Google Play’s protections. One of the ways
Joker does this is through lightweight development and constant code tinkering.
“By using as little code as possible and thoroughly hiding it, Joker generates a
very discreet footprint that can be tricky to detect,” according to Pradeo.
The most recent version of the malware also takes advantage of a legitimate
developer tool called Flutter to evade both device-based security and app-store
protections, Zimperium recently found. Flutter is an open-source app development
kit designed by Google that allows developers to craft native apps for mobile,
web and desktop from a single codebase. The use of Flutter to code mobile
applications is a common approach, and one that traditional scanners see as
benign, researchers said.
“Due to the commonality of Flutter, even malicious application code will look
legitimate and clean, whereas many scanners are looking for disjointed code with
errors or improper assemblies,” explained Zimperium researchers in an analysis
published in July.
As a result of all the trickery, there have been periodic reinfestations of
Joker inside the official store, including two massive onslaughts last year.
According to researchers at Zimperium, more than 1,800 Android applications
infected with Joker have been removed from the Google Play store in the last
four years.
Check out our free upcoming live and on-demand online town halls – unique,
dynamic discussions with cybersecurity experts and the Threatpost community.
Write a comment
Share this article:
* Malware
* Mobile Security
SUGGESTED ARTICLES
PYSA EMERGES AS TOP RANSOMWARE ACTOR IN NOVEMBER
Overtaking the Conti ransomware gang, PYSA finds success with government-sector
attacks.
December 22, 2021
CONTI RANSOMWARE GANG HAS FULL LOG4SHELL ATTACK CHAIN
Conti has become the first professional-grade, sophisticated ransomware group to
weaponize Log4j2, now with a full attack chain.
December 20, 2021
ROBOCALLS MORE THAN DOUBLED IN 2021, COST VICTIMS $30B
T-Mobile reported blocking 21 billion scam calls during a record-smashing year
for robocalls.
December 20, 2021
DISCUSSION
LEAVE A COMMENT CANCEL REPLY
This site uses Akismet to reduce spam. Learn how your comment data is processed.
INFOSEC INSIDER
* CONVERGENCE AHOY: GET READY FOR CLOUD-BASED RANSOMWARE
December 17, 2021
* 2022: SUPPLY-CHAIN CHRONIC PAIN & SAAS SECURITY MELTDOWNS
December 14, 2021
* NEXT-GEN MALDOCS & HOW TO SOLVE THE HUMAN VULNERABILITY
December 10, 2021
* NOT WITH A BANG BUT A WHISPER: THE SHIFT TO STEALTHY C2
December 8, 2021
* ARE YOU GUILTY OF THESE 8 NETWORK-SECURITY BAD PRACTICES?
December 6, 2021
Newsletter
SUBSCRIBE TO THREATPOST TODAY
Join thousands of people who receive the latest breaking cybersecurity news
every day.
Subscribe now
Twitter
1.8M+ attacks, against half of all corporate networks, are attempting to exploit
#Log4Shell, including with a new r… https://t.co/dDky1faadm
6 days ago
Follow @threatpost
NEXT 00:02 01:17 360p 720p HD 1080p HD Auto (360p) About Connatix V143023 Closed
Captions About Connatix V143023 1/1 Skip Ad Continue watching after the ad Visit
Advertiser website GO TO PAGE
SUBSCRIBE TO OUR NEWSLETTER, THREATPOST TODAY!
Get the latest breaking news delivered daily to your inbox.
Subscribe now
Threatpost
The First Stop For Security News
* Home
* About Us
* Contact Us
* Advertise With Us
* RSS Feeds
* Copyright © 2021 Threatpost
* Privacy Policy
* Terms and Conditions
* Advertise
*
*
*
*
*
*
*
TOPICS
* Black Hat
* Breaking News
* Cloud Security
* Critical Infrastructure
* Cryptography
* Facebook
* Government
* Hacks
* IoT
* Malware
* Mobile Security
* Podcasts
* Privacy
* RSAC
* Security Analyst Summit
* Videos
* Vulnerabilities
* Web Security
Threatpost
*
*
*
*
*
*
*
TOPICS
* Cloud Security
* Malware
* Vulnerabilities
* Privacy
Show all
* Black Hat
* Critical Infrastructure
* Cryptography
* Facebook
* Featured
* Government
* Hacks
* IoT
* Mobile Security
* Podcasts
* RSAC
* Security Analyst Summit
* Slideshow
* Videos
* Web Security
AUTHORS
* Tara Seals
* Tom Spring
* Lisa Vaas
THREATPOST
* Home
* About Us
* Contact Us
* Advertise With Us
* RSS Feeds
Search
*
*
*
*
*
*
*
InfoSec Insider
INFOSEC INSIDER POST
Infosec Insider content is written by a trusted community of Threatpost
cybersecurity subject matter experts. Each contribution has a goal of bringing a
unique voice to important cybersecurity topics. Content strives to be of the
highest quality, objective and non-commercial.
Sponsored
SPONSORED CONTENT
Sponsored Content is paid for by an advertiser. Sponsored content is written and
edited by members of our sponsor community. This content creates an opportunity
for a sponsor to provide insight and commentary from their point-of-view
directly to the Threatpost audience. The Threatpost editorial team does not
participate in the writing or editing of Sponsored Content.
We use cookies to make your experience of our websites better. By using and
further navigating this website you accept this. Detailed information about the
use of cookies on this website is available by clicking on more information.
ACCEPT AND CLOSE