Pradeo has discovered the Joker malware, which has been active for at least two years, in an Android app called Color Message that was downloaded more than 500,000 times.
"Joker is categorized as Fleeceware," Pradeo says, "as its main activity is to simulate clicks and intercept SMS to subscribe to unwanted paid premium services unbeknownst to users. By using as little code as possible and thoroughly hiding it, Joker generates a very discreet footprint that can be tricky to detect. In the last two years, the malware was found hiding in hundreds of apps."
The company says that Color Message was discovered surreptitiously "making connections to Russian servers." The app has since been removed from Google Play, but screenshots published by Pradeo show that it was billed as a messaging app that "makes texting easy, fun, and beautiful" and had an average score of 4.1 stars despite having many one-star reviews.
"Our analysis of the Color Message application through the Pradeo Security engine shows that it accesses users’ contact list and exfiltrates it over the network," Pradeo says. "Simultaneously, the application automatically subscribes to unwanted paid services unbeknownst to users. To make it difficult to be removed, the application has the capability to hides it icon once installed."
Pradeo says that previous apps featuring the Joker malware were installed between 1,000 and 100,000 times before they were removed from Google Play. The malicious software included multiple document scanners, another messaging app, a wallpaper manager, and the ironically named Safety AppLock. Luckily it seems that deleting the apps can remove the malware.