Privacy Ninja

Malicious Android Apps with 300K Installs Found on Google Play

Malicious Android Apps with 300K Installs Found on Google Play

Cybersecurity researchers have discovered three Android malware families infiltrating the Google Play Store, hiding their malicious payloads inside many seemingly innocuous applications.

The malicious activities suffered by users who installed the malware apps included stolen data, social media account takeovers, SMS interception, and unauthorized charges to their mobile numbers.

The malware families discovered by Zscaler’s ThreatLabz on the Google Play Store are known as “Joker,” “Facestealer,” and “Coper.”

The analysts informed Google of their findings, and all apps have since been removed from the Play Store. However, those still using these malicious apps will need to remove them and perform a device lean-up to uproot any remnants.

Also Read: June 2022 PDPC incidents and undertaking

The Joker

The Joker malware family is used to steal information from compromised devices, including SMS messages and the victim’s contact list, while also subscribing mobile numbers to premium wireless application protocol (WAP) services.

Zscaler’s report lists 50 applications trojanized with Joker that collectively account for over 300,000 downloads on the Play Store.

Almost half of them are communication apps because these naturally require users to grant access to risky permissions, so it’s easier for the malware to acquire the high-level privileges needed for its malicious operation.

Base64 encrypted content
Base64 encrypted content (Zscaler)

The Joker developers now hide the payload in a common asset file, in base64 obfuscated form, sometimes giving it JSON, TTF, PNG, or database file extension.

“Many Joker apps hide the payload in the assets folder of the Android Package Kit (APK) and creates an ARM ABI executable to avoid detection by most sandboxes which are based on x86 architecture,” explains Zscaler in the report.

The Facestealer

As expected from the malware’s name, Facestealer steals victims’ Facebook accounts using fake login forms overlaid on top of legitimate apps’ login forms.

The researchers found one app hiding the particular malware family in its code, a harmless-sounding utility named “Vanilla Snap Camera,” installed approximately 5,000 times.

Also Read: A beginner’s guide to the Singapore PDPA

Fake Facebook login page overlaid on the compromised device
Facebook login supposedly needed for using the application (Zscaler)

The Coper

Coper is an information-stealing malware capable of intercepting SMS texts, logging text entered on the devices, performing overlay attacks, sending malicious SMS texts, and exfiltrating data back to the attacker’s servers.

Zscaler’s analysts found at least one app, named “Unicc QR Scanner,” hiding Coper in its code, which compromised roughly 1,000 devices.

While the app itself does not initially contain any malicious code, once installed and launched, it will download the malware via a fake program update.

Post-installation payload download
Post-installation payload download (Zscaler)

How to stay safe 

To keep the chances of installing a malicious app from the Google Play Store, only install the absolutely essential applications, read reviews before installing an app to see if anyone found malicious behavior, and trust only large well-known publishers.

Upon installation, pay attention to the requested permissions and avoid granting access to risky ones, especially if they don’t seem to be connected with the app’s core functionality.

Finally, ensure that Play Protect is active on your device, and regularly monitor your network data and battery consumption to unearth any potentially suspicious processes running in the background.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us