Google Play app with 500,000 downloads sent user contacts to Russian server

An Android app with more than 500,000 downloads from Google Play has been caught hosting malware that surreptitiously sends user contacts to a server controlled by an attacker and signs users up for expensive subscriptions, a company reported. of security.

The application, named Color message, was still available on Google’s servers at the time of this article’s preparation. Google deleted it more than three hours after I asked the company for comment.

Apparently Color Message improves text messaging by adding emojis and blocking unwanted texts. But according to researchers at Pradeo Security said Thursday, Color Message contains a family of malware known as the Joker, which has infected millions of Android devices in the past.

“Our analysis of the Color Message application through the Pradeo Security engine shows that it accesses users’ contact list and exfiltrates it over the network,” the company’s blog said. “At the same time, the application automatically subscribes to unwanted paid services without the users’ knowledge. To make it difficult to remove, the app has the ability to hide its icon once installed.

Pradeo’s discovery only marks the latest instance of Google hosting malicious products that harm users of its Android mobile operating system. While the company scans apps for malware and proactively removes a large number of submissions on a regular basis, there is no shortage of apps Google misses. Frequent reports of malicious apps available through Play tarnish an otherwise clean security dashboard for the mobile operating system, at least as it is available on Pixel devices developed by Google.

Joker belongs to a category of malware known as Fleeceware. It simulates clicks and intercepts text messages in an attempt to surreptitiously subscribe users to premium paid services that they never intended to purchase. Joker is difficult to detect due to its small code footprint and the techniques its developers use to hide it. Over the past few years, the malware has been detected in hundreds of applications downloaded by millions of people.

In addition to sending users’ contacts to a server that appears to be located in Russia and subscribing to unwanted services, Color Message also fails to disclose the scope of actions that the app can perform on users’ devices.

As usual, Android users should be careful before downloading any apps. A good rule of thumb is to download apps only when they offer a real benefit, and then choose those created by well-known companies, when possible. People should also read user reviews to see if there are any reports of malware.