Updated Joker Android Malware Adds Evasion TechniquesMalicious Code Hid Within Apps Posted to Google Play Store
Check Point Research reports that a new version of the Joker mobile malware that infects Android devices has emerged. The malware, hidden in apps in the Google Play store, has once again evaded Google's security tools.
Researchers found the malicious Joker code hidden within 11 seemingly legitimate apps. Google removed all of the apps - including benign-looking game and wallpaper apps - by April 30 after it was notified by the researchers, according to the Check Point report.
The Joker malware, also known as Bread, has been active since at least 2017, although it has become more prevalent over the last year. The malware has the ability to steal SMS messages, contact lists and device information from infected Android smartphones. It also automatically signs up victims for premium services from various websites, according to Check Point.
Back in January, Google announced that it had removed about 17,000 apps from its official store that were used to help distribute this malicious code.
After those apps were discovered, the operators behind Joker apparently changed tactics to get their malware back into the Google Play store, according to Check Point.
"Joker, one of the most prominent types of malware for Android, keeps finding its way into Google’s official application market as a result of small changes to its code, which enable it to get past the Play Store's security and vetting barriers," analysts Aviran Hazum, Bogdan Melnykov, and Israel Wernik write in their report.
Adopting New Techniques
The Check Point researchers found that the operators behind Joker adopted several techniques previously used to infect Windows-based devices and evade security tools.
The Joker gang manipulated two key features - the Notification Listener Service in Android and a dynamic DEX file. These were then used to register the victimized user for the unwanted premium services, according to the report.
In the 11 infected apps that Check Point recently found, the malware developers hid a malicious DEX file - a Windows developer feature - within the Android Manifest file, according to the report.
"In an attempt to minimize Joker's fingerprint, the actors behind it hid the dynamically loaded DEX file from sight while still ensuring it is able to load - a technique which is well-known to developers of malware for Windows PCs," the researchers note in their analysis.
The Android Manifest file, which acts as a directory, is used in every Android app. It contains essential information about each app, such as what permissions the app will need once it's installed, and is used by the Google Play store to ensure the legitimacy of each app before it’s posted, according to the report.
The operators loaded the malware into the DEX file using Base64 encoded strings to hide the malicious code and then inserted that file into the app's Android Manifest. This way, the malware could stay dormant and hidden until Google approved the app for the store, the researchers say.
"The malware does not need to access a [command-and-control] server, which is a computer controlled by a cybercriminal used to send commands to systems compromised by malware, to download the payload, the portion of the malware which performs the malicious action," the researchers note.
Once the approval process was complete and the app was posted in the official Google Play Store, the Joker malware then contacted the command-and-control server and began receiving instructions after victims downloaded the app, according to the report.
Targeting Google Play
While Google has put more money and effort into securing its app store, fraudsters and hackers keeping changing their tactics to get malicious apps posted on the platform.
Malwarebytes recently reported fraudsters were able to insert a Trojan called Cereberus into the Play Store by hiding it within a money converter app. Since March, the app was downloaded some 10,000 times by users, mainly in Spain (see: Cereberus Banking Trojan Targeted Spanish Android Users).
In other cases, researchers have found malicious code within the Google Play Store that was then used to create botnets from infected Android devices (see: Botnet Watch: Anubis Mobile Malware Gets New Features).