Malicious apps spreading the Joker have continued to skirt Google Play’s protections since 2019, because the malware’s author kept making small changes to its code. However, researchers say that Joker is now raising the bar, using a tactic – one that’s well known but not yet been used by Joker before now – to hide malicious code inside legitimate applications, allowing it to get through Google Play’s app vetting process.
“Joker adapted,” said Aviran Hazum, manager of Mobile Research with Check Point Research, in a Thursday analysis. “The Joker malware is tricky to detect, despite Google’s investment in adding Play Store protections. Although Google removed the malicious apps from the Play Store, we can fully expect Joker to adapt again. Everyone should take the time to understand what Joker is and how it hurts everyday people.”
Joker is a billing fraud family of malware that first emerged in 2017, but started appearing in earnest in 2019. It advertises itself as a legitimate app, but once installed, it infects victims post-download to steal their SMS messages, contact lists and device information; as well as also stealthily signing them up for premium service subscriptions that could quietly drain their wallets.
The most recent variant of the malware uses a tactic where it hides malicious code inside what’s called the “Android Manifest” file of a legitimate application. Every application has an Android Manifest file in its root directory, which provides essential information about an app, such as its name, icon and permissions, to the Android system.
Joker has been building its payload before inserting it into the “Android Manifest” file via a dex file, hidden in the form of Base64 encoded strings. This payload is hidden during Google Play’s evaluation of the app, making it easier to skirt by the app vetting process. It’s not until after the app has been approved in the evaluation process that the campaign starts to operate, with the malicious payload decoded and loaded onto the compromised device. It’s important to note that this trick is well-known to developers of malware for Windows PCs, said researchers.
“This way, the malware does not need to access a [command-and-control] server, which is a computer controlled by a cybercriminal used to send commands to systems compromised by malware, to download the payload, the portion of the malware which performs the malicious action,” said researchers.
Researchers also detected an “in-between” variant, that utilized the technique of hiding the .dex file as Base64 strings in the app.
However, “instead of adding the strings to the Manifest file, the strings were located inside an internal class of the main application,” said researchers. “In this case, all that was needed for the malicious code to run was to read the strings, decode them from Base64, and load it with reflection.”
The apps detected that contained Joker malware ranged from memory training games to flower-themed phone wallpaper (see below for the package names).
The Joker malware continues to hoodwink its way onto Google Play via legitimate applications. In January, researchers revealed that Google removed 17,000 Android apps so far from the Play store that have been conduits for the Joker malware (a.k.a. Bread). At the time, researchers said that Joker’s operators have “at some point used just about every cloaking and obfuscation technique under the sun in an attempt to go undetected.” In 2019, researchers also spotted 24 malicious apps – with a total of 472,000 installs – on the official Android app marketplace that were spreading the Joker malware.
“Our latest findings indicate that Google Play Store protections are not enough. We were able to detect numerous cases of Joker uploads on a weekly basis to Google Play, all of which were downloaded by unsuspecting users,” said Check Point researchers.
Check Point researchers disclosed their findings to Google and all reported applications were removed from the Play Store by April 30, they said. Threatpost has reached out to Google for further comment on this incident and on its Google Play vetting process.
BEC and enterprise email fraud is surging, but DMARC can help – if it’s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a FREE webinar, “DMARC: 7 Common Business Email Mistakes.” This technical “best practices” session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. Click here to register for this Threatpost webinar, sponsored by Valimail.