Security researchers have discovered the return of the Joker malware to the Google Play Store, hiding behind a number of legitimate apps and fielding greater capabilities than before.
In March, a report from consumer advisory firm Which? revealed that a vast majority of Android smartphones that were no longer receiving security support from OEMs, were vulnerable to the Joker malware that tricked smartphone users into downloading fake apps and covertly registered them to premium-rate services.
In January alone, Google kicked out as many as 1,700 applications from the Play Store that were found hiding the Joker malware. By then, these applications had enjoyed millions of downloads all over the world, enabling operators of the malware to victimise a large number of smartphone users with billing fraud campaigns.
According to Google, while earlier versions of Joker, that appeared sometime in 2017, were engaged in carrying out SMS fraud, later versions of the malware (also known as Bread malware) were designed for billing fraud that involved the malware authors using injected clicks, custom HTML parsers, and SMS receivers to automate billing processes without requiring any interaction from the user.
Joker malware is designed specifically to evade detection by Google Play Protect
In a blog post published earlier this year, Google noted that the developers of Joker malware used just about every cloaking and obfuscation technique under the sun in an attempt to go undetected. Many of the malware’s samples appeared to be designed specifically to attempt to slip into the Play Store undetected and at peak times of activity, Google observed up to 23 different apps from this family submitted to Play in one day.
According to security firm Check Point, the Joker malware has returned to the Play Store once again, this time in a new avatar that fields the capability of downloading additional malware to the device, which subscribes the user to premium services without their knowledge or consent.
“To realize the ability of subscribing app users to premium services without their knowledge or consent, the Joker utilized two main components – the Notification Listener service that is part of the original application, and a dynamic dex file loaded from the C&C server to perform the registration of the user to the services.
“In an attempt to minimize Joker’s fingerprint, the actor behind it hid the dynamically loaded dex file from sight while still ensuring it is able to load – a technique which is well-known to developers of malware for Windows PCs. This new variant now hides the malicious dex file inside the application as Base64 encoded strings, ready to be decoded and loaded,” the firm said.
“The new payload contained code that the original Joker had in its main dex file – the registration of the NotificationListener service, subscribing the user to premium services, and more. But now, after this change, all that the actor needed in order to hide the entire functionality was to set the C&C server to return “false” on the status code, and none of the malicious activity would occur.”
In a piece of advice to Android phone users, researchers at Check Point said that in order to find out if your phone is infected with Joker malware, you should check your mobile and credit-card bills to see if you have been signed up for any subscriptions and unsubscribe if possible, install a mobile security solution, and uninstall infected applications as soon as possible.