Google has removed 17 apps from the Google Play Store for being infected by the Joker (Bread) malware. This is one of the most persistent malware we have seen on Google’s mobile OS and the company has been dealing with it since 2017. In that time, Google has removed more than 1700 apps that have been plagued by the Joker malware. These 17 apps were downloaded 120,000 times before being detected. The list of 17 apps is as follows.
According to Zscaler security, “This spyware is designed to steal SMS messages, contact lists, and device information along with silently signing up the victim for premium wireless application protocol (WAP) services”. In July 2020 and in September 2019, we saw the Joker malware make headlines.
The malware uses a method called “Droppers” to infect the device. The process has multiple stages. According to Bleeping Computer, “Malware authors have realized in the past years that Google has a very hard time picking up "droppers" hidden in legitimate apps. For the past years, more and more malware operations have adopted this trick of splitting their code in two —a dropper and the actual malware. The reason is that droppers require a smaller number of permissions and exhibit limited behaviour that could be classified as malicious. Furthermore, adding timers that delay the execution of any malicious code with a few hours also helps the malware remain undetected during Google's scans. These simple tricks allow tiny pieces of malicious code to slip inside the Play Store hidden in all sorts of apps, of many categories. Once users run the apps, which in most cases do what they advertise, the malicious code executes, the droppers asks for various permissions, and if it gets them, then it downloads a far more potent malware”.
Put simply, the delay in the malware acting on the user’s system hides it from the security eyes of Google. When the app asks for permissions, and the user gives it, is when the malware start to infect the device. This is why you must be very careful when giving certain apps permissions they don't need. For example, there is no need for a torch app to ask for permission to see the contacts or the dialer or the messages and hence such permissions must be denied.