Android app with more than 500,000 downloads from Google Play has been caught hosting malware that surreptitiously sends users’ contacts to an C2 server and signs up users to pricey subscriptions.
The app,Color Message enhances text messaging by doing things such as adding emojis and blocking junk texts. But it contains a family of malware known as Joker, which has infected millions of Android devices in the past.
The app accesses users contact list and exfiltrates it over the network, the application automatically subscribes to unwanted paid services to users. To make it difficult to be removed, the application has the capability to hide its icon once installed.
Joker falls into a category of malware known as Fleeceware. It simulates clicks and intercepts text messages in an attempt to subscribe users to paid premium services they never intended to buy. Joker is hard to detect because of the tiny footprint of its code and the techniques its developers use to stash it.
Besides sending users’ contacts to a server that appears to be located in Russia and subscribing to unwanted services, Color Message also fails to disclose the extent of the actions the app can perform on users’ devices. Google removed the app from the Playstore after this discovery.