A malicious Android app with more than 500,000 downloads from the Google Play app store has been found hosting malware that stealthily exfiltrates users’ contact lists to an attacker-controlled server and signs up users to unwanted paid premium subscriptions without their knowledge.
The latest Joker malware was found in a messaging focused app named Color Message (“com.guo.smscolor.amessage”), which has since been removed from the official app marketplace.
Color Message
Google Play: https://play.google.com/store/apps/details?id=com.guo.smscolor.amessage
Package: com.guo.smscolor.amessage
Version 1.3
500.000+ installs
In addition, it has been observed simulating clicks in order to generate revenue from malicious ads and connecting to servers located in Russia.
Color Message “accesses users’ contact list and exfiltrates it over the network [and] automatically subscribes to unwanted paid services,” mobile security firm Pradeo noted. “To make it difficult to be removed, the application has the capability to hide it icon once installed.”
However, Google has already deleted this application from the Play Store, but, it doesn’t mean that users are now safe, since, it has already infected more than half a million users.
This malicious app offers its operators to execute the following primary actions that we have mentioned below:-
- Access users’ contact lists.
- Subscribe victims to the unwanted premium paid services without their knowledge.
- Simulate clicks.
So, the users who have installed the app on their Android smartphones are still highly vulnerable, as the threat actors could make them sign up for expensive services that you don’t need or want without their knowledge.
All the affected users have flooded the comment box with several complaints.
“We are committed to ensuring that the app is as useful and efficient as possible.” the developers behind Color Message state in their terms and conditions. “For that reason, we reserve the right to make changes to the app or to charge for its services, at any time and for any reason. We will never charge you for the app or its services without making it very clear to you exactly what you’re paying for.”
Joker, since its discovery in 2017, has been a notorious fleeceware infamous for carrying out an array of malicious activities, including billing fraud and intercepting SMS messages, contact details, and device information unbeknownst to users.
The rogue apps have continued to skirt Google Play protections using a barrage of evasion tactics to the point that Android’s Security and Privacy Team said the malware authors “have at some point used just about every cloaking and obfuscation technique under the sun in an attempt to go undetected.”
