Joker Android Malware Finds New Trick to Sneak Past Security Wall in Google Play Store

11 apps in question were removed by Google from the Play Store after CheckPoint informed about the malware risk

The threat actors behind dangerous Joker Android malware are back in action again. A new report revealed that cybercriminals have succeeded to successfully slip spyware infected apps onto Google's Play Store.

Earlier, the tech giant removed 11 malicious apps infected with the infamous Joker billing fraud malware from the Play Store on April 30, 2020 after the experts at Check Point informed Google about the return of the threat actors.

As per the security researchers, who published their findings on Thursday, July 9, the malware had found another trick to bypass Google's Play Store protections, obfuscate the malicious DEX executable inside the app as Base64 encoded strings, which are then decoded and loaded on the device.

apps on phone
Smartphone apps Pixabay

Check Point's Aviran Hazum, who identified the new modus operandi of Joker malware said, this malware is tricky to detect, despite Google's investment in adding Play Store protections. In addition, the expert said, "Although Google removed the malicious apps from the Play Store, we can fully expect Joker to adapt again."

The Saga of Joker Malware

Researchers first identified and tracked down Joker Malware almost three years ago. Google then described it as one of the most persistent threats it has had to deal with since 2017. This is a combination spyware and premium dialler app which hides inside the legitimate-looking apps.

It is also known for perpetrating billing fraud and its spyware capabilities, including stealing SMS messages, contact lists, and device information without the consent of the user. In 2019, the malware campaigns involving Joker had gained more foothold with number of malicious Android apps which were uncovered by security research firms such as CSIS Security Group, Trend Micro, Dr.Web, and Kaspersky,

To hide its malicious activities, the operators of the malware have developed a variety of methods which include, encryption to hide strings from analysis engines, fake reviews to trick users to download malware-laced apps, and a technique called versioning, which refers to uploading a clean version of the app to the market place to gain trust among the Android users and then silently adding malicious code at a later stage via app updates.

Google Play Store
YouTube

Earlier this year, Android's Security & Privacy Team said that as the Play Store has introduced new policies to ensure safety from malware threats and Google Play Protect has scaled up defenses, Bread apps were forced to continually iterate to search for loophole. The team also said, "They have at some point used just about every cloaking and obfuscation technique under the sun in an attempt to go undetected."

Till January 2020, Google has removed over 1,700 apps submitted to the Play Store over the past three years that showed evidence of malware.

New Modus Operandi

Android Manifest file, which is AndroidManifest.xml, contains important information about the app, besides permissions and information that it must provide to the target device's Android system before running any of its code.

According to Hazum, by hiding the malicious code inside the Android Manifest file, Joker does not need to access a command and control (C2) server to download its malicious payload, as the payload is now prebuilt and ready to go. This has the effect of making it much easier for Joker malware to slip unnoticed any of the Google Play Store's protections.

As per the expert, "Our latest findings indicate that Google Play Store protections are not enough. We were able to detect numerous cases of Joker uploads on a weekly basis to Google Play, all of which were downloaded by unsuspecting users."

He advised the Android phone users to uninstall the app immediately if they think that the downloaded app has malware. He also asked to see if the users gave been signed up for any subscriptions which they do not recognize.

Here's a list of malware sample hashes and Android package names for all the apps found to be infected with Joker payloads:

SHA256 hashPackage Name
db43287d1a5ed249c4376ff6eb4a5ae65c63ceade7100229555aebf4a13cebf7com.imagecompress.android
d54dd3ccfc4f0ed5fa6f3449f8ddc37a5eff2a176590e627f9be92933da32926com.contact.withme.texts
5ada05f5c6bbabb5474338084565893afa624e0115f494e1c91f48111cbe99f3com.hmvoice.friendsms
2a12084a4195239e67e783888003a6433631359498a6b08941d695c65c05ecc4com.relax.relaxation.androidsms
96f269fa0d70fdb338f0f6cabf9748f6182b44eb1342c7dca2d4de85472bf789com.cheery.message.sendsms
0d9a5dc012078ef41ae9112554cefbc4d88133f1e40a4c4d52decf41b54fc830com.cheery.message.sendsms
2dba603773fee05232a9d21cbf6690c97172496f3bde2b456d687d920b160404com.peason.lovinglovemessage
46a5fb5d44e126bc9758a57e9c80e013cac31b3b57d98eae66e898a264251f47com.file.recovefiles
f6c37577afa37d085fb68fe365e1076363821d241fe48be1a27ae5edd2a35c4dcom.LPlocker.lockapps
044514ed2aeb7c0f90e7a9daf60c1562dc21114f29276136036d878ce8f652cacom.remindme.alram
f90acfa650db3e859a2862033ea1536e2d7a9ff5020b18b19f2b5dfd8dd323b3com.training.memorygame
Related topics : Cybersecurity
READ MORE