Google took down several apps from the Play Store for spreading malware

Several malware families like Joker, Facestealer, and Coper were distributed via the marketplace before the app takedown

Android malware spreads via Play StoreJoker, Coper, and Facestealer malware campaigns involved Android applications that got taken down

Google removed a lot of malware-laced Android applications from its marketplace. Google has removed eight particular applications with 3 million cumulative downloads from Play Store.[1] These eight have reportedly[2] been infected with the Joker spyware variants. The latest reports[3] show that there are particular malware families targeting Android devices and spreading via these marketplaces that generally are considered a trusted source for discovering and installing applications.

The particular threat family is known to researchers, and this fleeceware known as Bread or Joker malware is created to trick users into subscribing to unwanted paid services and make calls to numbers for a fee. The malware is capable of gathering data like SMS messages, contacts, and device information and first, was observed in the same Play Store, but since 2017 it has never left the scene.

Despite public awareness of this particular malware, it keeps finding its way into Google's official app store by regularly modifying the malware's trace signatures including updates to the code, execution methods, and payload-retrieving techniques

A total of 53 Joker downloader applications

Two cybersecurity firms have identified applications that have been downloaded already by hundreds of thousands of users. These applications commonly pose as SMS, photo editors, blood pressure monitors, emoji keyboards, and translation apps.[4] These apps, once added, request elevated permissions for the device, so all the additional operations can be carried out on the system.

Researchers explained that these campaigns also used new tactics for the persistence and detection bypass. Commonly these malware developers place the malware-less applications and wait for downloads and reviews to pile up. Then the malware-laced app gets swapped on the marketplace in place of the original program.

Joker developers hide the malicious payload in a common asset file and package application using commercial packers and keep the malware undetected this way. It also no longer requires a WebView that reduces changes that users notice something about the application.

Facestealer and Coper malware distributed in the official marketplace

Researchers also reported that among those applications that Google reportedly blocked reside a bunch of applications that were spreading the Facestealer and Coper malware variants. The latter is a version of the Exobot malware and functions as a banking trojan that steals various information from the machine. Facestealer is the malware allowing creators to collect Facebook credentials and auth tokens.[5]

Coper is the threat that can intercept and send SMS text messages, keylogging, lock and unlock devices, perform overlay attacks and prevent various program uninstalls, allowing the attackers to take control and execute these commands on machines via the remote connection with the C2 server.

This also abuses the accessibility permissions to gain full control of the Android phone. Applications used to spread these Facestealer, and Coper pieces were messaging apps, imaging apps like Vanilla Camera, and various tools like QR scanners – Unicc QR Scanner.

Unfortunately, Google struggles to detect and block these fleeceware applications and other spyware programs on time. Tons of attacks involving these silent tactics grow each ear in numbers of affected devices because threat actors manage to evolve their methods adopting methods that help to keep malicious activities under the radar.

About the author
Jake Doevan
Jake Doevan - Computer technology expert

Jake Doevan is one of News Editors for He graduated from the Washington and Jefferson College , Communication and Journalism studies.

Contact Jake Doevan
About the company Esolutions