Google has recently removed 17 Android applications from the official Play Store because they were infected with the Joker (aka Bread) malware. ZDNet reports:
“This spyware is designed to steal SMS messages, contact lists, and device information, along with silently signing up the victim for premium wireless application protocol (WAP) services,” Zscaler security researcher Viral Gandhi said this week. The 17 malicious apps were uploaded on the Play Store this month and didn’t get a chance to gain a following, having been downloaded more than 120,000 times before being detected.
Following its internal procedures, Google removed the apps from the Play Store, used the Play Protect service to disable the apps on infected devices, but users still need to manually intervene and remove the apps from their devices. But this recent takedown also marks the third such action from Google’s security team against a batch of Joker-infected apps over the past few months. […] The way these infected apps usually manage to sneak their way past Google’s defenses and reach the Play Store is through a technique called “droppers,” where the victim’s device is infected in a multi-stage process. Malware authors begin by cloning the functionality of a legitimate app and uploading it on the Play Store. This app is fully functional, requests access to dangerous permissions, but also doesn’t perform any malicious actions when it’s first run.
Because the malicious actions are usually delayed by hours or days, Google’s security scans don’t pick up the malicious code, and Google usually allows the app to be listed on the Play Store. But once on a user’s device, the app eventually downloads and “drops” (hence the name droppers, or loaders) other components or apps on the device that contain the Joker malware or other malware strains.