Malicious ‘Fleeceware’ App Downloaded 600M Times

fleece joker

Google has tried to remove malicious apps from its Android platform on the Google Play Store, but Google’s security team slides into certain apps, like Fleeceware. Fleeceware is a malicious application that tricks users into paying excessive amounts of money for simple applications with functionality that is available for free elsewhere. These apps have been installed nearly 600 million times on more than 100 million devices, according to a Sophos report.

Fleece attacks

Fleeceware is successful on the Google Play Store (rather than the Apple App Store) because it leverages a widely used business model in the ecosystem, allowing users to download and use apps for a short trial period without paying. However, when the trial version expires, if the user installing one of these applications has not uninstalled the application and has not informed the application developer that they have finished with the application, the application developer charges the user. This model is similar to “free trial” offers, placing the responsibility for canceling services on the user.

These apps pose a number of annoyances for those who are “plucked,” the researchers said. Not only are they being charged exorbitant amounts of money with very few rewards, there are “few resources” if they want a refund after realizing they have been charged because Google Play Store policies are “significantly less consumer friendly” than Typical US credit card companies, they said.

Joker-Ridden fleece applications

The Android app, Color Message, has been found to harbor the “Joker” malware. Joker malware is a persistent threat that has been around since 2017, hiding within common types of applications that appear legitimate, such as games, messengers, photo editors, translators, and wallpapers, many of them targeting children. But once installed, Joker’s apps subscribe victims to unwanted premium paid services controlled by attackers, a type of billing fraud that researchers classify as “fleeceware.” Often times, the victim does not realize that they are being charged until the phone bill arrives.

In the worst case, Fleeceware applications (containing malware) filter contact lists, device information, and can hide their icons on the home screen. This is the case with the previous ‘Color Message’ attack, where the application appeared to be making connections to Russian servers.

Bypass security controls

Malicious Joker apps are commonly found outside of the official Google Play store, but they have continued to bypass Google Play protections. One of the ways Joker does this is through light development and constant code changes. The latest version of the malware also leverages a legitimate developer tool called Flutter to bypass both device-based security and app store protections. Flutter is an open source application development kit designed by Google that enables developers to create unique mobile, web and desktop applications from a single code base. Using Flutter to code mobile apps is a common approach and one that traditional scanners view as harmless.

“Due to the common characteristics of Flutter, even malicious application code will appear legitimate and clean, while many scanners look for disjointed code with errors or incorrect assemblies,” explained the Zimperium researchers in an analysis published in July.

Avoid fleece

First, if you have an Android and your own ‘Color Message’, remove the app immediately and follow the instructions below to unsubscribe and avoid being a victim of fraud. Users can also search for other applications to which they may be subscribed, by following these instructions for Google or Apple accounts:

iOS (Apple)
  • Opened Settings
  • Touch your Name
  • Tap Subscriptions to view and manage everything
  • Alternatively, open the App store,
    • Touch your Initials in the upper right corner
    • Tap Subscriptions to view and manage everything
Android (Google)
  • Open the Play store
  • Tap on the Burger menu icon in the upper right corner
  • Choose Subscriptions to view and manage your records

Cybersecurity Recommendations

It is important to always make sure that you are installing a secure application on your devices. Always check the reviews, the country of origin of the application and the reputation of the developers. Additionally, these recommendations below will help you and your business stay safe from the various threats you may face on a day-to-day basis:

  1. Govern employees with policies and procedures. You need a password policy, an acceptable use policy, an information handling policy, and a written information security program (WISP) at a minimum.
  2. Train employees on how to detect and avoid phishing attacks. Adopt a learning management system like CyberHoot to teach employees the skills they need to be more confident, productive, and confident.
  3. Test employees with phishing attacks to practice. CyberHoot phishing tests allow companies to test employees with credible phishing attacks and put those who fail in corrective phishing training.
  4. Implement critical cybersecurity technology, including two-factor authentication on all critical accounts. Enable spam filtering, validate backups, implement DNS, antivirus and antimalware protection on all your endpoints.
  5. In the modern era of work from home, make sure you manage the personal devices that connect to your network by validating their security (patches, antivirus, DNS protections, etc.) or by prohibiting their use altogether.
  6. If you haven’t had a third-party risk assessment in the last 2 years, you should have one now. Establishing a risk management framework in your organization is critical to addressing your most egregious risks with your limited time and money.
  7. Buy Cyber-Insurance to protect you in a catastrophic failure situation. Cyber-Insurance is no different than auto, fire, flood or life insurance. It’s there when you need it most.


Malicious Joker App Gets Half a Million Downloads on Google Play – ThreatPost

‘Fleeceware’ apps downloaded 600 million times from Google Play – ThreatPost

Leave a Comment