For those unaware, Color Message was advertised as an app that allowed users to personalise their default SMS messages. The analysis of the Color Message application done by the researchers through the Pradeo Security engine showed that the app accessed users’ contact list and exfiltrated it over the network to Russian servers. Joker is considered a “fleeceware” form of malware, as its main activity is to simulate clicks in order to generate revenue from malicious ads, intercept SMS to subscribe users to unwanted paid premium services unbeknownst to them and commit billing fraud. By using as little code as possible and thoroughly hiding it, Joker generated a very discreet footprint that was tricky to detect for Google Play’s app protections. To make it difficult to be removed, the application even had the capability to hide its icon once installed. The application’s very concise terms and conditions are hosted on an unbranded one page blog and does not disclose the extent of the actions the app performed on users’ devices. “One of the victims has even tried reaching out to the application’s developer through the comment section of the legal page, other users are directly complaining about the fraud in the comment section of the app on the store,” the researchers wrote in the blog post citing users’ comments that it is a scam app. Users who have downloaded the Color Message app from the Google Play Store are advised to immediately delete it from their device to avoid fraudulent activities. Apparently, the Joker malware has been hiding in hundreds of apps in the last two years. However, this is the first time it has been detected in the Play Store.
