These malware-infected apps for Android could secretly run up your phone bill

Android owners might want to check their phones. A cyber security company has discovered a handful of apps that embed Joker malware on Android phones. So far, over 100,000 people have installed the software.

Pradeo, in a blog post Tuesday, warned users to immediately delete “Smart SMS Messages,” “Blood Pressure Monitor,” “Voice Languages Translator,” and “Quick Text SMS” from their devices. (Google has already removed all four of the apps from the Google Play store.)

Joker is a type of “fleeceware,” which subscribes infected devices to unwanted paid services. It also sends SMS messages and makes calls to premium numbers without the phone owner’s knowledge, running up a big phone bill, of which the hackers take a cut. The practice is also referred to as “toll fraud.”  

“By using as little code as possible and thoroughly hiding it, Joker generates a very discreet footprint that can be tricky to detect. In the last three years, the malware was found hiding in thousands of apps,” Pradeo wrote. “Victims only notice the fraud when receiving their mobile phone invoice, potentially weeks after it started.”

The company says it has found Joker in at least 11 other Android apps recently—even as Congress considers a bill that would force Apple and Google to let apps circumvent their marketplaces in a practice called “sideloading.” In every case, the apps are programmed to install other applications on infected phones, which could add even more dangerous malware.

Joker, sometimes called Jocker, has been around for a while, but its footprint has been growing lately. Researchers from security firm Kaspersky say the malware has become advanced enough that it can bypass bot-detection mechanisms on paid service sites.

Once you’ve installed an app infected with the malware, it will request access to text messages and/or notifications, whichever makes sense depending on the type of app it’s hiding within. Kaspersky notes that by gaining access to notifications, it can intercept confirmation codes received in the text of messages, letting it subscribe to a paid service without the user being aware.

Microsoft, last week, published an extensive warning about Joker and other sorts of malware that contribute to toll fraud: “Toll fraud has been one of the most prevalent types of Android malware in Google Play Store since 2017, when families like Joker and their variants made their first appearance. It accounted for 34.8% of installed Potentially Harmful Application (PHA) from the Google Play Store in the first quarter of 2022, ranking second only to spyware.”

In their Google Play listings, the weaponized apps Pradeo discovered looked legitimate enough. The company, though, says there are a few steps users can take to protect themselves against future downloads with Joker hidden in the code.

First, take a look at the developer’s account. If they have only one app, tread with extreme caution. (Once an app is banned, the hacker will simply open a new developer account.) Also, look for red flags with the privacy policy. If it’s hosted on a Google Doc or Google Site page, that’s a warning sign. If it uses a template or is especially short, steer clear. And if it doesn’t disclose the full extent of the activities the app can perform, walk away.

Of course, this also requires you to read the privacy policy before you install the app, something very few people do.