A new malware called the ‘Joker’ is now plaguing Android apps and can steal money from your account by posing itself as a premium subscription in one of your existing apps. According to an analyst at CSIS Security Group named Aleksejs Kuprins, the malware has infected 24 apps on the Google Play Store, which have now been removed

What does the Joker malware do?
The malware discreetly signs people up on premium subscription services, steal SMS messages, contacts, and gather device information such as the serial and IMEI numbers. It also steals money from a user’s account by luring them to sign up for premium subscriptions. It starts by silently simulating interaction with an advertisement without the user knowing and then even steals the victim’s SMS messages, which might contain OTP to authenticate payments.
So, A user might not even know that they have been signed up for a subscription service and the money is being deducted from their account unless they pay attention to transaction alerts sent by their bank.

Joker malware – affected apps and countries
Joker malware has infected a total of 24 apps with over 4,72,000 installs, which Google has reportedly removed from the Play Store. This includes:

• Advocate Wallpaper
• Age Face
• Altar Message
• Antivirus Security- Security Scan
• Beach Camera
• Board Picture Editing
• Certain Wallpaper
• Climate SMS
• Collate Face Scanner
• Cute Camera
• Dazzle Wallpaper
• Declare Wallpaper
• Display Camera
• Great VPN
• Humour Camera
• Ignite Clean
• Leaf Face Scanner
• Mini Camera
• Print Plant Scan
• Rapid Face Scanner
• Reward Clean
• Ruddy SMS
• Soby Camera
• Spark Wallpaper

The Joker malware has targeted a total of 37 countries with a majority in Asia and the EU.The full list of 37 targeted countries includes: Australia, Austria, Belgium, Brazil, China, Cyprus, Egypt, France, Germany, Ghana, Greece, Honduras, India, Indonesia, Ireland, Italy, Kuwait, Malaysia, Myanmar, Netherlands, Norway, Poland, Portugal, Qatar, Republic of Argentina, Serbia, Singapore, Slovenia, Spain, Sweden, Switzerland, Thailand, Turkey, Ukraine, United Arab Emirates, United Kingdom and the United States.

An interesting thing worth mentioning about the Joker is the phone book contact list theft. The core component collects all numbers in the contact list and sends them over to the C&C in an encrypted form


Image of Contact Harvesting program in Joker Malware

How to stay protected from the Joker malware

Those who have downloaded any of the apps infected with the Joker malware listed above are recommended to delete them immediately. There is a good chance that the services the malware has signed up a user for will not appear in their Play Store subscriptions. So, to find that out, one will need to carefully sift through their bank account, credit card statement for at least till the month of June to check whether there have been any unwanted transactions without their consent. Though the infected apps have now been removed, it is unclear if a number of users are still at risk.We recommend paying close attention to the permission list in the apps that you install on your Android device. Obviously, there usually isn’t a clear description of why a certain app needs a particular permission, which means that whenever you are downloading any app.