Google Play app with 500,000 downloads sent user contacts to Russian server – Ars Technica

A robotic hand tries to activate a smartphone.

An Android app with more than 500,000 downloads from Google Play has been caught hosting malware that surreptitiously sends users’ contacts to an attacker-controlled server and signs up users to pricey subscriptions, a security firm reported.

The app, named Color Message, was still available on Google servers at the time this post was being prepared. Google removed it more than three hours after I asked the company for comment.

Ostensibly, Color Message enhances text messaging by doing things such as adding emojis and blocking junk texts. But according to researchers at Pradeo Security said on Thursday, Color Message contains a family of malware known as Joker, which has infected millions of Android devices in the past.

“Our analysis of the Color Message application through the Pradeo Security engine shows that it accesses users’ contact list and exfiltrates it over the network,” the company’s blog post stated. “Simultaneously, the application automatically subscribes to unwanted paid services unbeknownst to users. To make it difficult to be removed, the application has the capability to hide its icon once installed.”

Pradeo’s discovery marks only the latest instance of Google hosting malicious wares that harm users of its Android mobile operating system. While the company scans apps for malware and regularly removes huge numbers of submissions proactively, there’s no shortage of apps Google misses. The frequent reports of rogue apps available through Play tarnishes an otherwise clean security scorecard for the mobile OS, at least as it’s available on Google-developed Pixel devices.

Joker falls into a category of malware known as Fleeceware. It simulates clicks and intercepts text messages in an attempt to surreptitiously subscribe users to paid premium services they never intended to buy. Joker is hard to detect because of the tiny footprint of its code and the techniques its developers use to stash it. Over the past few years, the malware has been found lurking in hundreds of apps downloaded by millions of people.

Besides sending users’ contacts to a server that appears to be located in Russia and subscribing to unwanted services, Color Message also fails to disclose the extent of the actions the app can perform on users’ devices.

As usual, Android users should be circumspect before downloading apps. A good rule of thumb is to download apps only when they provide a true benefit and then to choose ones made by known companies, when possible. People should also read the user reviews to see if there are reports of malice.