“Fleeceware” malware downloaded 600 million times


Google has tried to remove malicious apps from its Android platform on the Google Play Store, but some apps are slipping by the Google security team, like Fleeceware. Fleeceware is a malicious application that tricks users into paying excessive amounts for simple applications with features available for free elsewhere. These apps have been installed nearly 600 million times on more than 100 million devices, according to a Sophos report.

Fleeceware attacks

Fleeceware is successful in the Google Play Store (rather than the Apple App Store) because it takes advantage of a widely used business model in the ecosystem, allowing users to download and use apps for a while. short trial period without paying. However, after the expiration of the trial period, if the user who installs one of these applications has not both uninstalled the application and informed the developer of the application that it is finished. with the app, the app developer bills the user. This model is similar to “free trial” offers, placing the responsibility for canceling services on the user.

These apps pose a number of inconveniences to those who are “robbed”, the researchers said. Not only are they being charged exorbitant amounts of money with very little reward, but “there is little recourse” if they want a refund after realizing they have been charged, as the policies of the Google Play Store are “considerably less user-friendly” than those in the typical United States. credit card companies, they said.

Fleeceware Joker-Ridden Applications

The Android application, Color Message, hosts the “Joker” malware. Joker malware is a persistent threat that has been around since 2017, lurking in common and seemingly legitimate types of applications like games, messengers, photo editors, translators, and wallpapers, many of which are aimed at children. But once installed, the Joker apps subscribe victims to unwanted, paid premium services controlled by attackers, a type of billing fraud researchers call “polar.” Often the victim does not realize that they are being billed until the phone bill arrives.

In the worst case, Fleeceware apps (which contain malware) exfiltrate contact lists, device information, and may hide their home screen icons. This is the case with the previous “Color Message” attack, where the application seemed to establish connections with Russian servers.

Bypass security checks

Malicious Joker apps are typically found outside of the official Google Play store, but they have continued to bypass Google Play protections. One of the ways Joker does this is through light development and constant code changes. The most recent version of the malware also takes advantage of a legitimate developer tool called Flutter to evade both device security and app store protections. Flutter is an open source application development kit designed by Google that allows developers to build unique applications for mobile, web, and desktop from a single code base. Using Flutter to code mobile apps is a common approach that traditional scanners consider harmless.

“Due to the Flutter community, even malware application code will look legitimate and clean, as many scanners look for disjointed code with errors or incorrect assemblies,” Zimperium researchers explained in a commentary. analysis published in July.

Avoid polar

First of all, if you have an Android and have a “Color Message”, immediately delete the app and follow the instructions below to cancel your subscription to avoid falling victim to fraud. Users can also search for other apps to which they may be subscribed by following these instructions for Google or Apple accounts:

iOS (Apple)
  • Open Settings
  • Press your Last name
  • Faucet Subscriptions to see and manage everything
  • Otherwise, open the App store,
    • Press your Initials in the upper right corner
    • Faucet Subscriptions to see and manage everything
Android (Google)
  • Open the Play at the store
  • Press the Hamburger menu icon in the upper right corner
  • To choose Subscriptions to view and manage your registrations

Cyber ​​security recommendations

It is important to always be sure that you are installing a secure app on your devices. Always check the reviews, the app’s country of origin, and the reputation of the developers. Additionally, the recommendations below will help you and your business stay safe from the various threats you may face on a daily basis:

  1. Govern employees with policies and procedures. At a minimum, you need a password policy, an acceptable use policy, an information management policy, and a written information security program (WISP).
  2. Train employees on how to detect and avoid phishing attacks. Adopt a learning management system like CyberHoot to teach employees the skills they need to be more confident, productive, and secure.
  3. Test employees with phishing attacks to practice. CyberHoot phishing tests allow companies to test employees for credible phishing attacks and put those who fail in remedial phishing training.
  4. Deploy critical cybersecurity technology, including two-factor authentication to all critical accounts. Activate spam filtering, validate backups, deploy DNS protection, antivirus and anti-malware on all your devices.
  5. In the modern age of working from home, make sure you manage the personal devices that connect to your network by validating their security (patches, antivirus, DNS protections, etc.) or banning their use altogether.
  6. If you haven’t done a third party risk assessment in the past 2 years, you should have one now. Establishing a risk management framework in your organization is essential to dealing with your most egregious risks with your limited time and money.
  7. Buy cyber insurance to protect yourself in the event of a catastrophic failure. Cyber ​​insurance is no different from auto, fire, flood, or life insurance. It’s there when you need it most.


Malicious Joker app records half a million downloads on Google Play – ThreatPost

‘Fleeceware’ apps downloaded 600 million times from Google Play – ThreatPost


Comments are closed.