A new variant of the notorious Joker malware has once again bypassed Google’s security measures. This time, by hiding in 11 seemingly legitimate apps on Google Play Store, researchers discovered.
On Thursday, July 9, malware experts at security firm Check Point revealed that an updated version of Joker has struck again, with new features that enable it to get around Google Play’s vetting process.
“Check Point’s researchers recently discovered a new variant of the Joker Dropper and Premium Dialer spyware in Google Play. Hiding in seemingly legitimate applications, we found that this updated version of Joker was able to download additional malware to the device, which subscribes the user to premium services without their knowledge or consent,” the researchers wrote.
According to them, the malicious malware “adopted an old technique from the conventional PC threat landscape and used it in the mobile app world to avoid detection by Google.”
“To realize the ability of subscribing app users to premium services without their knowledge or consent, the Joker utilized two main components – the Notification Listener service that is part of the original application, and a dynamic dex file loaded from the C&C server to perform the registration of the user to the services,” they added.
Specifically, researchers noted that the Joker now deploys a new method that involves hiding its malicious playload inside the Android Manifest file of a legitimate app.
“This new variant now hides the malicious dex file inside the application as Base64 encoded strings, ready to be decoded and loaded,” they explained.
By doing so, the playload becomes prebuilt and ready to go, removing the need for the malware to access a command and control (C2) server just to download its malicious payload.
“Joker adapted,” said Aviran Hazum, a researcher at Check Point. “We found it hiding in the essential information file every Android application is required to have. Our latest findings indicate that Google Play Store protections are not enough. We were able to detect numerous cases of Joker uploads on a weekly basis to Google Play, all of which were downloaded by unsuspecting users.”
“The Joker malware is tricky to detect, despite Google’s investment in adding Play Store protections. Although Google removed the malicious apps from the Play Store, we can fully expect Joker to adapt again. Everyone should take the time to understand what Joker is and how it hurts everyday people,” he added.