Several New Play Store Apps Spotted Distributing Joker, Facestealer and Coper Malware

Google has taken steps to ax dozens of fraudulent apps from the
official Play Store that were spotted propagating Joker,
Facestealer, and Coper malware families through the virtual
marketplace.

While the Android storefront is considered to be a trusted
source for discovering and installing apps, bad actors have
repeatedly found ways to sneak past security barriers erected by
Google in hopes of luring unsuspecting users into downloading
malware-laced apps.

The latest findings from Zscaler ThreatLabz^[1]
and Pradeo^[2]
are no different. “Joker is one of the most prominent malware families^[3] targeting Android
devices,” researchers Viral Gandhi and Himanshu Sharma said in a
Monday report.

“Despite public awareness of this particular malware, it keeps
finding its way into Google’s official app store by regularly
modifying the malware’s trace signatures including updates to the
code, execution methods, and payload-retrieving techniques.”

Categorized as fleeceware^[4], Joker (aka Bread) is
designed to subscribe users to unwanted paid services or make calls
to premium numbers, while also gathering SMS messages, contact
lists, and device information. It was first observed in the Play
Store in 2017.

A total of 53 Joker downloader apps have been identified by the
two cybersecurity firms, with the applications downloaded
cumulatively over 330,000 times. These apps typically pose as SMS,
photo editors, blood pressure monitor, emoji keyboards, and
translation apps that, in turn, request elevated permissions for
the device to carry out its operations.

“Instead of waiting for apps to gain a specified volume of
installs and reviews before swapping for a malware-laced version,
the Joker developers have taken to hiding the malicious payload in
a common asset file and package application using commercial
packers,” the researchers explained the new tactic adopted by the
persistent malware to bypass detection.

It’s not just Joker, as security researcher Maxime Ingrao last
week disclosed^[5]
eight apps containing a different variant of the malware called
Autolycos that racked up a total of over three million downloads
prior to their removal from the app store after more than six
months.

“What is new about this type is that it no longer requires a
WebView,” Malwarebytes researcher Pieter Arntz said^[6]. “Not requiring a
WebView greatly reduces the chances that the user of an affected
device notices something fishy is going on. Autolycos avoids
WebView by executing URLs on a remote browser and then including
the result in HTTP requests.”

Also discovered in the official marketplace were apps embedding
Facestealer^[7]
and Coper^[8]
malware. While the former enables the operators to siphon Facebook
credentials and auth tokens, Coper — a descendant of the Exobot
malware — functions as a banking trojan that can steal a wide range
of data.

Coper is “capable of intercepting and sending SMS text messages,
making USSD (Unstructured Supplementary Service Data) requests to
send messages, keylogging, locking/unlocking the device screen,
performing overly attacks, preventing uninstalls and generally
allowing attackers to take control and execute commands on infected
device via remote connection with a C2 server,” the researchers
said.

The malware, like other banking trojans, is also known to abuse
the accessibility permissions on Android to gain full control of
the victim’s phone. The list of Facestealer and Coper dropper apps
is as follows –

• Vanilla Camera (cam.vanilla.snapp)
• Unicc QR Scanner (com.qrdscannerratedx)

If anything, the findings add to Google’s storied history of
struggling to keep such fleeceware and spyware apps off its mobile
app store, in part owing to a multitude of evolving tactics adopted
by threat actors to fly under the radar.

Besides the usual rules of thumb when it comes to downloading
apps from app stores, users are recommended to refrain from
granting unnecessary permissions to apps and verify their
legitimacy by checking for developer information, reading reviews,
and scrutinizing their privacy policies.