Joker Android Malware Finds New Trick to Sneak Past Security Wall in Google Play Store

The threat actors behind dangerous Joker Android malware are back in action again. A new report revealed that cybercriminals have succeeded to successfully slip spyware infected apps onto Google's Play Store.

Earlier, the tech giant removed 11 malicious apps infected with the infamous Joker billing fraud malware from the Play Store on April 30, 2020 after the experts at Check Point informed Google about the return of the threat actors.

As per the security researchers, who published their findings on Thursday, July 9, the malware had found another trick to bypass Google's Play Store protections, obfuscate the malicious DEX executable inside the app as Base64 encoded strings, which are then decoded and loaded on the device.

Check Point's Aviran Hazum, who identified the new modus operandi of Joker malware said, this malware is tricky to detect, despite Google's investment in adding Play Store protections. In addition, the expert said, "Although Google removed the malicious apps from the Play Store, we can fully expect Joker to adapt again."

The Saga of Joker Malware

Researchers first identified and tracked down Joker Malware almost three years ago. Google then described it as one of the most persistent threats it has had to deal with since 2017. This is a combination spyware and premium dialler app which hides inside the legitimate-looking apps.

It is also known for perpetrating billing fraud and its spyware capabilities, including stealing SMS messages, contact lists, and device information without the consent of the user. In 2019, the malware campaigns involving Joker had gained more foothold with number of malicious Android apps which were uncovered by security research firms such as CSIS Security Group, Trend Micro, Dr.Web, and Kaspersky,

To hide its malicious activities, the operators of the malware have developed a variety of methods which include, encryption to hide strings from analysis engines, fake reviews to trick users to download malware-laced apps, and a technique called versioning, which refers to uploading a clean version of the app to the market place to gain trust among the Android users and then silently adding malicious code at a later stage via app updates.

Earlier this year, Android's Security & Privacy Team said that as the Play Store has introduced new policies to ensure safety from malware threats and Google Play Protect has scaled up defenses, Bread apps were forced to continually iterate to search for loophole. The team also said, "They have at some point used just about every cloaking and obfuscation technique under the sun in an attempt to go undetected."

Till January 2020, Google has removed over 1,700 apps submitted to the Play Store over the past three years that showed evidence of malware.

New Modus Operandi

Android Manifest file, which is AndroidManifest.xml, contains important information about the app, besides permissions and information that it must provide to the target device's Android system before running any of its code.

According to Hazum, by hiding the malicious code inside the Android Manifest file, Joker does not need to access a command and control (C2) server to download its malicious payload, as the payload is now prebuilt and ready to go. This has the effect of making it much easier for Joker malware to slip unnoticed any of the Google Play Store's protections.

As per the expert, "Our latest findings indicate that Google Play Store protections are not enough. We were able to detect numerous cases of Joker uploads on a weekly basis to Google Play, all of which were downloaded by unsuspecting users."

He advised the Android phone users to uninstall the app immediately if they think that the downloaded app has malware. He also asked to see if the users gave been signed up for any subscriptions which they do not recognize.

Here's a list of malware sample hashes and Android package names for all the apps found to be infected with Joker payloads: