Security researchers found the Joker malware back on the Google Play app, this time hidden in the Color Message app. The application was reportedly downloaded more than 500,000 times before it was removed from the platform. Users should immediately remove the application from their devices in order to mitigate any further risks, according to researchers at Pradeo Security. The Joker malware has been around since 2017, frequently disguising itself within common applications that seem legitimate, such as games, messengers, photo editors, translators, and wallpapers. Many of the apps are aimed at children or younger audiences.

Once installed, the Joker malware subscribes users to unwanted, premium services controlled by the attackers. Schemes of this nature are referred to as billing fraud further categorized as “fleeceware.” The victim is unaware of the charges until their mobile bill arrives. In some cases, the apps also exfiltrate contact lists, device information, and perform other malicious actions such as hiding icons from the home screen. The latter is a function of the Color Message app, says Pradeo researchers. In addition, the application appears to be connected to Russian servers.