New Joker malware detected on Google Play, 500.000+ users affected

This article is regularly updated with new mobile applications infected with Joker malware but yet available for download on Google Play. We always alert Google of our discoveries.

Updated on Thursday December 16^th2021

A mobile application called Color Message infected with Joker malware is currently available for download on Google Play and was installed by more than half a million users. The application appears to be making connections to Russian servers.

Joker is categorized as Fleeceware, as its main activity is to simulate clicks and intercept SMS to subscribe to unwanted paid premium services unbeknownst to users. By using as little code as possible and thoroughly hiding it, Joker generates a very discreet footprint that can be tricky to detect. In the last two years, the malware was found hiding in hundreds of apps.

Today, Pradeo identified another infected application on Google Play. Users are advised to immediately delete it from their device to avoid fraudulent activities.

Color Message

Google Play: https://play.google.com/store/apps/details?id=com.guo.smscolor.amessage

Package: com.guo.smscolor.amessage

Version 1.3

500.000+ installs

Our analysis of the Color Message application through the Pradeo Security engine shows that it accesses users’ contact list and exfiltrates it over the network. Simultaneously, the application automatically subscribes to unwanted paid services unbeknownst to users. To make it difficult to be removed, the application has the capability to hides it icon once installed.

The application’s very concise terms and conditions are hosted on an unbranded one page blog and do not disclose the extent of the actions the app can perform on users’ devices. One of the victims has even tried reaching out to the application’s developer through the comment section of the legal page, other users are directly complaining about the fraud in the comment section of the app on the store.