Cybersecurity researchers revealed that a new variant of the infamous Joker malware has once again entered Google Play and 11 malicious Android applications were removed by Google from its Play Store.
The Android malware was hidden under the disguise of legitimate applications to secretly make users subscribe for premium services without their knowledge.
According to a Check Point research report published, the malware called Joker or Bread has found a new technique to bypass Google’s Play Store protections: obfuscate the malicious DEX executable inside the application as Base64 encoded strings, which are then decoded and loaded on the compromised device.
After the disclosure by Check Point researchers, the 11 apps in question were removed by Google from the Play Store on April 30, 2020.
Check Point’s Aviran Hazum stated that the Joker malware was difficult to detect even though there are security protections by Google available. He added that even though the malicious apps were removed from the Play Store, there are chances that the Joker might adapt again.
Joker which was first discovered in 2017, is one of the most widespread kinds of Android malware. It is famous for performing billing fraud and its spyware capabilities, including stealing SMS messages, contact lists, and device information.
In order to hide their true nature, the malware operators have utilized a variety of methods which includes encryption to hide strings from analysis engines, fake reviews to make users download the apps, and also a technique called versioning. In this method a clean version of the app is uploaded to the Play Store to gain trust among users and then later on they secretly add malicious code through app updates.
With the introduction of new policies in Play Store and Google Play Protect has increased their defenses, Bread apps were forced to continually iterate to search for gaps. They used every possible methods and complicate technique to go undetected.
As of January 2020, Google has removed more than 1,700 apps submitted to the Play Store over the past three years that had been infected with the malware.
The new variant which has been found now also has the same goal but it leverages the app’s manifest file, which is used to load a Base64 encoded DEX file.
A second “in-between” version was also identified using a similar technique of hiding the .dex file as Base64 strings but adds them as an inner class in the main application and loads it via reflection APIs.
In order to make the users subscribe secretly without their consent, the Joker made use of two main components — the Notification Listener as a part of the original application, and a dynamic dex file loaded from the C&C server to perform the registration.
Besides, the variant also has several new features that allows the threat actor to remotely issue a “false” status code from a C&C server under their control to suspend the malicious activity.
Those users who have installed the infected apps must check their mobile and transaction history to see if there are any suspicious payments made. Ensure to carefully check the app permissions for all apps that has been installed on your Android device.