A malicious Android app with more than 500,000 downloads from the Google Play app store has been found hosting malware that stealthily exfiltrates users’ contact lists to an attacker-controlled server and signs up users to unwanted paid premium subscriptions without their knowledge.
The latest Joker malware was found in a messaging-focused app named Color Message (“com.guo.smscolor.amessage”), which has since been removed from the official app marketplace. In addition, it has been observed simulating clicks in order to generate revenue from malicious ads and connecting to servers located in Russia.
Color Message “accesses users’ contact list and exfiltrates it over the network [and] automatically subscribes to unwanted paid services,” mobile security firm Pradeo noted. “To make it difficult to be removed, the application has the capability to hides it icon once installed.”