Malware found in Google Play Store affected millions of devices

Author at TechGenyz Google
Google Play Store
Credit: AndroidPIT

As we all know, Google has already removed 17 apps from Play Store after they were found infected by Joker or Bread malware. The cloud security company Zscaler apparently found malicious apps and immediately reported them to Google. However, the reports show that the infected apps were downloaded around 1.2 lakh times by that time and there remains a possibility of millions of users being affected by them.

According to Viral Gandhi, a security researcher from Zscaler, these apps were infected by the Joker aka Bread malware which opts to steal user information and register them to WAP services at the same time.

He said:

This spyware is designed to steal text messages, contact lists, and device information. At the same time, it is quietly registering victims for advanced wireless application protocol (WAP) services.

Now, what is these WAP services? WAP or Wireless Application Protocol is an application environment and set of communication protocols for wireless devices designed to enable manufacturer – vendor and technology-independent access to the internet and advanced telephony services. By registering for this service, user information becomes freer to access.

After getting the reports from Zscaler, Google deleted these apps from its official Play Store. In order to stop this kind of malware, the tech giant also introduced the Play Protect disable service, but users still need to manually intervene to delete these applications from the device.

How Joker affects Google?

Joker aka Bread is known for conducting billing frauds by intercepting SMS to subscribe to unwanted paid services. It disguises itself as legitimate apps and makes purchases using WAP billing on behalf of users without them knowing about it. This is the third time the Google security team has dealt with Joker-infected applications in recent months.

Joker has become more of a subject of irritation to the tech giant of which they can’t seem to get over. Previously, Google deleted 6 infected apps, and in July. Google security researchers also found a batch of applications infected by Joker. As per the reports, this batch of the virus has been active since March and has successfully infected millions of devices.

According to Google, these infected applications use a technique called ‘droppers’ which is very simple, but difficult to defend. This technology allows the infected application to bypass Google’s security defense system, go directly to the Play Store and finally infect the user’s device in multiple stages.

The stages of infecting a device combine multiple processes. First, the creator of the malware will clone the legitimate application function and upload it to the Play Store. This clone application works the same as the original one and can request access. However, it will not perform any malicious operations the first time it runs. Google is unable to detect any malicious codes from these applications as their operations are often delayed for hours or days.

Once the user installs this application, it eventually downloads or drops other components or applications that contain Joker malware or other malicious software. This puts the user’s personal information into danger.

Google has already informed that Joker is one of the persistent malware they have been dealing with for quite a while. It has also stated that its security team has removed more than 1,700 applications from the Play Store since 2017. Though this kind of malware is difficult to remove, users can avoid them by staying alert when installing applications with broad permissions.

So, next time when a particular application lookout for suspicious permissions like SMS messages, contacts or call logs; make sure to check if it is infected or not.

Career

Subscribe