Security experts have identified three Android malware families that have infiltrated the Google Play Store and are concealing their harmful payloads inside several ostensibly innocent applications.

Users who downloaded the malicious apps experienced data theft, social media account hijacking, SMS interception, and unauthorised charges to their mobile accounts.

The “Joker,” “Facestealer,” and “Coper” malware families were found in the Google Play Store by Zscaler’s ThreatLabz.

All apps were later taken off the Play Store when the analysts informed Google of their findings. However, people who continue to use these harmful apps must uninstall them and carry out a device lean-up to uproot any leftovers.

The Joker

The Joker virus family can subscribe mobile numbers to expensive wireless application protocol (WAP) services while also stealing data from infected devices, such as SMS messages and the victim’s contact list.

According to Zscaler’s analysis, there are 50 applications trojanized with Joker that together have received over 300,000 Play Store downloads.

It is easier for malware to obtain the high-level capabilities required for its destructive operation because nearly half of them are communication apps, which naturally require users to allow access to dangerous permissions.

Base64 encrypted content (Zscaler)
Base64 encrypted content (Zscaler)

The payload is now concealed by the Joker developers as a shared asset file in base64-obfuscated form, occasionally with a JSON, TTF, PNG, or database file extension.

In order to escape detection by the majority of sandboxes that are built on x86 architecture, many Joker apps hide the payload in the assets folder of the Android Package Kit (APK) and build an ARM ABI executable, according to Zscaler in the research.

The Facestealer

Facestealer, as implied by the name of the malware, uses false login forms overlayed on top of authentic app login forms to steal victims’ Facebook accounts.

The researchers discovered one app, a seemingly trustworthy programme called “Vanilla Snap Camera,” that included the specific virus family hidden in its code.

Facebook login supposedly needed for using the application (Zscaler)
Facebook login supposedly needed for using the application (Zscaler)

The Coper

Coper is a piece of data-stealing malware that can send malicious SMS texts, perform overlay assaults, log text entered on the devices, intercept SMS messages, and transfer data back to the attacker’s computers.

Analysts at Zscaler discovered at least one app with the name “Unicc QR Scanner” that had 1,000 infected devices due to Coper being hidden in its code.

The app does not include any harmful code when it is first downloaded, but after it has been activated and installed, it will download the malware through a phoney software update.

How to stay safe

Install only absolutely necessary apps from the Google Play Store, check reviews before installing an app to see whether anybody has reported malicious behaviour, and only trust big, well-known publishers to reduce the likelihood of getting a rogue app.

When installing an app, pay close attention to the permissions that are sought and avoid allowing access to hazardous ones, especially if they don’t appear to be related to the program’s primary features.

Last but not least, make sure Play Protect is turned on for your device and routinely check your network data and battery usage to find any possibly suspicious programmes that might be running.