Google has recently removed eight Android apps, which have garnered over 3M downloads. The apps were laced with a new variant of the Joker spyware.
Maxime Ingrao, French security researcher, discovered a piece of malware that can force users to subscribe to a premium service without their knowledge or consent. Fraudsters would rack up payment charges on the backend. This type of scam is known as toll fraud malware, or fleeceware.
If you have any of these apps installed, you must remove them immediately.
- Vlog Star Video Editor has more than 1 million downloads
- Creative 3D Launcher has been installed more than 1 million times
- Funny Camera has more than 500,000 installations
- Wow Beauty Camera has 100,000 downloads
- Gif Emoji Keyboard has more than 100,000 installations
- Razer Keyboard & Theme has 50,000 installations
- Freeglow Camera 1.0.0 has 5,000 downloads
- Coco camera v1.1 has 1,000 downloads
How were users infected?
Cyber criminals spread the malware using Facebook pages while running ads on Facebook and Instagram since June 2021.
Ingrao tweeted, “… there were 74 ad campaigns for Razer Keyboard & Theme malware.”
What is Joker spyware?
Ingrao mentioned that this new malware was similar to Joker, a spyware that also forced users to subscribe to premium services as well as other malicious activities.
Joker hid in advertisements served by malicious apps. When malicious apps propagating Joker were installed, a screen showing the app logo was displayed, which would confuse victims while performing nefarious activiies in the background, including stealing text messages and contact lists, as well as forcing users into paid subscriptions.
How is the new spyware different?
This new strain of Joker spyware has ‘no webview like #Joker but only http requests,’ says Ingrao. It would execute URLs on a remote browser and include the result in HTTP requests. This helped the malware evade detection than the original strain.
To receive more cutting-edge cyber security news, best practices and analyses, please sign up for the CyberTalk.org newsletter.