Malware found in the Google Play Store has infected millions of devices
Lead: Malware is quietly signing Advanced Wireless Application Protocol (WAP) services for you.
This week Google removed 17 Android applications from the official Play Store.
According to Viral Gandhi, a security researcher from Zscaler, all 17 applications were infected with Joker (aka Bread) malware. He said: “This spyware is designed to steal text messages, contact lists, and device information. At the same time, it is quietly registering victims for advanced wireless application protocol (WAP) services.”
Google has deleted these applications from the Play Store and started the Play Protect disable service, but users still need to manually intervene to delete these applications from the device.
Joker is the bane of the game store. As of this time, this is the third time the Google security team has dealt with Joker-infected applications in recent months. Earlier this month, the Google team just deleted 6 infected apps. In the previous July, Google security researchers also discovered a batch of applications infected by Joker.
According to the investigation, this batch of virus software has been active since March and has successfully infected millions of devices.
These infected applications use a technique called “droppers.” This technology allows the infected application to bypass Google’s security defense system, go directly to the Play Store, and infect the victim’s device in multiple stages.
From Google’s point of view, this technology is very simple, but difficult to defend.
First, the creator of the malware will clone the legitimate application function and upload it to the Play Store. Generally speaking, this application is fully functional and can request access, but it will not perform any malicious operations the first time it runs. Since malicious operations are often delayed for hours or days, and Google’s security scans will not detect malicious code, such applications usually appear in the Play Store.
But once the user installs on the device, the application will be downloaded on the device and “discarded” (hence the name droppers or loaders) other components or applications, and these components or applications contain Joker malware or other malicious software.
In January of this year, Google published a blog post claiming that Joker is one of the most persistent and advanced threats they have dealt with in the past few years. At the same time, Google also said that since 2017, its security team has removed more than 1,700 applications from the Play Store. In short, it is difficult to guard against Joker, but if users can be cautious when installing applications with broad permissions, the possibility of infection can be reduced.
In addition, Bitdefender also reported a batch of malicious applications to the Google security team, some of which can still be used on the Play Store. Bitdefender did not disclose the name of the application, only the account name of the developer who uploaded the application, and stated that users who installed the application of these developers should delete it immediately.
Compilation source: https://www.zdnet.com/article/google-removes-17-android-apps-doing-wap-billing-fraud-from-the-play-store/