For the Bold For the Brave

Joker Malware Flooding into Google Play

Be aware, The Joker, an android trojan, has been detected yet again. 

Google Play has re-enforced the Joker premium billing-fraud malware with a new wave of tricks to evade scanners. The said spyware can launch different attacks on systems, including faking service reviews, displaying deceptive ads, downloading virus-stricken apps, and disabling the Google Play Protect Service.

Researchers said that the Joker, a billing-fraud malware, mobile trojan, has returned to Google Play, concealing itself in malicious Android apps. Furthermore, it has found new methods to bypass Google’s app vetting process.

Joker has been around since 2017. It disguises itself as a legitimate app like photo editors, wallpapers, messengers, photo editors, and translators. The malware works in many different ways while stealing contact lists, SMS messages, and device information. The victim often is unaware of the scam until they receive their mobile bill.

Malicious Joker applications are often found outside the Google Play store. However, they continue to bypass Google Play’s protection every year. This is because malware authors continue to make small tweaks in their attack methods—several waves of Joker attacks on the official store, including two large-scale attacks last year. Researchers at Zimperium claim that more than 1,800 Android apps infected by Joker were removed from Google Play Store in the past four years.

Researchers said that at least 1,000 new samples were detected in the latest wave. Many of these samples are now on the official market.

According to a Zimperium analysis, “Malicious actors” have found numerous ways to insert this malware in both official and unofficial apps. While they don’t last long in these repositories, the persistence shows how mobile malware, like traditional endpoint malware, does not vanish but is constantly being improved and modified in a cat-and-mouse game.

Legitimate Developer Techniques

According to Zimperium, the latest Joker malware version, first discovered in 2020, use legitimate developer techniques to hide their true intents. This helps them to evade both app store protections and device-based security.

Flutter is an open-source app development kit designed by Google. It allows developers to create native apps for desktop, mobile, and web from one codebase. For bad actors, using Flutter is a common practice that traditional scanners consider benign.

Researchers explained that malicious code could look legitimate and clean due to Flutter’s commonality. However, scanners will scan for code with errors or inconsistencies.

Additional Tricks in the Bag

The analysis shows that Joker malware has been using another anti-detection method, embedding the payload in a .DEX format. This file can be encrypted with a number or hidden within an image using Steganography. Researchers said that the image might be hosted on legitimate cloud repositories or remotely controlled by a command-and-control server (C2) server.

Another new behavior is to use URL shorteners to hide C2 addresses and use native libraries to decrypt an offline payload.

Researchers found that new samples take extra precautions to hide trojanized apps after they are installed.

They explained that after successful installation, the infected application with Joker malware would run an analysis using Google Play APIs to verify the latest version of the app from Google Play Store. The malware can also be running on a dynamic emulator if there is no response. If the version in the store is not the latest, the local malware payload executes, infecting your mobile device. If the version found in the store is older than the current version, the C2s will be contacted to obtain an updated version.

What are the risks?

These apps appear not only on Google Play and other unofficial third-party marketplaces, but also in sanctioned outlets for the first or second time. AppGallery, the official App Store for Huawei Android, was found to have been infected with the Joker trojan. Doctor Web reported that the apps were downloaded unknowingly by more than 538,000 users back in April.

Companies that offer bring-yourself-device (BYOD) have a higher risk, as employees can download whatever they please. Which at that point, the malware could steal the company’s information. 

When installing apps, take a moment to review any notifications. They often indicate something unwelcome or unexpected. If you are ever in doubt or have any questions, you can either deny the request or obliterate the app.

Joker is a clever piece of malware that has already claimed the lives of thousands. You can decrease your chances of becoming one by following these tips.

Comments are closed.