Cybersecurity researchers at Zscaler ThreatLabz discovered yet another batch of Android malware that was openly available on the Google Play Store and downloaded by hundreds of thousands of users before it was removed. This group includes dozens of apps that hid three major malware strains: Joker, Facestealer, and Coper.
Despite sounding like Batman’s rogues gallery, these are three dangerous malwares that execute multifaceted attacks and can compromise personal data, steal login information, scam you into unwanted financial transactions, and even grant hackers full remote control of infected devices.
What can Joker, Facestealer, and Coper do?
Like most Android malware, the offending apps were trojans—software that looks harmless, but secretly contains malware. Some of the apps in Zscaler’s report used sophisticated tactics to bypass Google Play’s anti-malware inspection, while others side-loaded the malware after the app was installed. Some could even slip past on-device anti-malware using these techniques.
Of the three types of malware, Joker accounted for the majority of infections, appearing in 50 apps with over 300,000 combined downloads. It’s not surprising Joker made up the overwhelming majority of attacks; it is a prolific malware that’s commonly used for wireless application protocol (WAP) scams, in which victims are signed up for unwanted subscription services through their mobile carrier. These attacks do not need direct access to your bank or credit card information, and instead rely on the infected device’s mobile data to subscribe to services via your phone bill.
Most of the Joker apps in this batch of malware were messaging and communication apps that access your phone’s texting and mobile data features to buy premium subscriptions, then intercept and delete any confirmation texts from the services its signs you up for. Reviewing an app’s permissions is a common way to spot dangerous software, but a communication app asking for SMS and mobile data-related permissions wouldn’t seem out of place, so affected users may have no idea they’re paying for unwanted services unless they vigilantly review every item on their monthly phone bill.
Joker apps will also use the personal data it uses for WAP scams for other attacks, like breaking into your social media and banking accounts, but the real identity thief in the bunch is Facestealer.
Plenty of legitimate apps require a Facebook, Twitter, Google, or Apple ID, but Facestealer apps use fake social media login screens that steal your login information. The spoofed login screens usually load directly in the app and look like the real thing, so it’s easy to overlook. Hackers can then use your login information to hijack your account to spread more malware to your friends through messages, or, worse, siphon personal information that can help them steal your identity. Zscaler found Facestealer in just one app, the Vanilla Snap Camera, which only had 5,000 downloads, but it’s almost certain there are other Facestealer trojans masquerading as real apps on Google Play.
The last malware, Coper, also targets your personal data and login information. It can read your keyboard text entries, tries to dupe you with fake login screens, and even accesses and reads your texts. All of this stolen data is then quietly shared with the app’s creators to launch smishing, phishing, and even SIM swapping attacks. Coper is dangerous, but luckily only associated with a single app, Unicc QR Scanner, which had about 1,000 downloads. However, the danger here is that the malware wasn’t actually hidden in the app’s code, but rather side-loaded via a fake app update. This is a common tactic hackers use to circumvent Google Play’s anti-malware scans entirely, since they can simply add the malware later.
How to stay safe
You can find a full list of the malicious apps and how they executed their attacks in Zscaler’s report. The good news is all offending apps were removed from Google Play and disabled on devices that downloaded them from the Play Store.
That said, it’s only a matter of time before another round of Android malware is discovered. You need to protect yourself from possible threats at all times.
We’ve covered the best ways to safeguard Android devices, social media accounts, and other personal data against all manner of scams, hacks, and leaks. But when it comes to Android apps, the best way to stay safe is to only install apps from well-known and trusted publishers, and only download them from verified sources like the Google Play Store, APK Mirror, or XDA Developers.
If you decide to download an app from an unknown publisher, make sure to read the reviews and research the app online first. However, unless an app offers functionality you simply cannot get from a mainstream publisher’s app, there’s no reason to download alternative texting, camera, or QR code scanning apps—especially when your phone can do all of these things with the built-in features it comes with.