Six more apps containing Joker malware have been removed from the Google Play Store. What is Joker malware? And which methods are used to deliver it?
In yet another example of the persistent malware that has been plaguing Android users for years, researchers at Pradeo have unmasked six apps containing Joker malware on the Google Play store. The malware, which exfiltrates data and registers victims for premium subscription services, was found on 11 Android apps in July and has now been detected on an additional six. According to Pradeo, the six apps found in August have so far been downloaded more than 200,000 times. Users are advised to immediately delete them from their devices to avoid fraudulent activities.
What is Joker malware?
Joker (also known as Bread) is a combination spyware and premium dialler app that hides inside legitimate-looking apps. Once installed on a victim’s device, it can access notifications, read and send SMS messages. By subscribing victims to premium rate services, or by using the victim’s account to make purchases using WAP billing, it uses its capabilities to conduct billing fraud. The researchers at Pradeo note that Joker generates a very discreet footprint that can be tricky to detect.
Roughly 1,700 apps infected with the Joker malware have been removed by Google from the Play Store since 2017, but the malware keeps re-emerging. Of the six apps uncovered as delivering Joker, «Convenient Scanner 2» has been downloaded over 100,000 times alone, while «Separate Doc Scanner» has been downloaded by 50,000 users. Google’s Android security and privacy team describes Joker as one of the most persistent threats the Play Store faces.
How does it operate?
The first type of Joker malware mainly relied on SMS fraud. It would sign you up for subscriptions or make payments without your knowledge, and you’d typically see unwanted charges on your mobile bill. In 2019, Google tightened restrictions on apps that asked to access your Call Log or SMS, but due to its evolving nature the threat very much persists.
Research by Check Point has discovered a new kind of Joker malware that’s just as deceitful as the last. The new method sees the malware hiding malicious code inside the Android Manifest file of a legitimate app. Consequently, Joker doesn’t need to access a C&C server to download the payload, or the portion of the malware which performs the malicious action. Check Point summarizes Joker’s new method in three steps:
- Joker builds its payload, inserting it into the Android Manifest file
- During evaluation time, the malware doesn’t try to load the malicious payload, simplifying the process of bypassing Play Store protections
- When it’s been approved, the campaign starts to operate
The most recent version of Joker malware manages to get past Google’s security using a clever technique, hiding the malicious DEX file inside the app as Base64 encoded strings. This means that when the app gets placed on the Play Store, there’s no sign of malware. Check Point notes that the Joker malware is evolving, and although Google has removed the malicious apps from the Play Store, we can expect Joker to strike again.
Despite Google’s best efforts, malware still sneaks their way in
During the third week of August this year, our partner, Wultra, detected an excessive number of Joker malware apps pretending to be messenger apps.
Despite Google’s best efforts, Play Store remains ridden with constant threats. As of January 2020, Google has removed more than 1,700 apps submitted to the Play Store over the past three years that had been infected with the malware.
End-users should be careful with what they download, and even if they exclusively use the Play Store for downloading apps, they should be on the lookout for what kind of information their apps can access. Trust no one, especially no-name developers behind apps with poor review scores.
App providers cannot rely on OS security features alone. Make sure your app is fully protected with advanced hardening capabilities, integrity checks, and proactive anti-tampering features. You need to let the app protect itself by allowing it to identify and block attacks in real-time.