The Joker mobile virus has made its entry back on Google Play with an increase in malicious Android apps that mask the billing fraud software, according to researchers. It’s also employing new techniques to get beyond Google’s app vetting process.
Joker has been hiding in the shadows of genuine programs including camera apps, games, messengers, picture editors, translators, and wallpapers since 2017. Once installed, Joker applications discreetly simulate clicks and intercept SMS messages to sign victims up for unwanted, paid premium services controlled by the attackers – a kind of billing fraud known as “fleeceware”.
Malicious Joker applications are widely available outside of the official Google Play store, and they’ve been escaping Google Play’s safeguards since 2019. This is mostly due to the malware developers’ constant modification of their attack approach. As a result, periodic waves of Joker infections have occurred within the official store, including two large outbreaks last year.
Over 1,800 Android applications infected with Joker have been deleted from the Google Play market in the previous four years, according to Zimperium experts.
Since September, at least 1,000 new samples have been discovered in the newest wave, with many of them making their way into the legitimate market.
According to a Zimperium analysis, “Malicious actors have routinely found new and unique ways to get this malware into both official and unofficial app stores. While they are never long for life in these repositories, the persistence highlights how mobile malware, just like traditional endpoint malware, does not disappear but continues to be modified and advanced in a constant cat-and-mouse game.”
According to Zimperium, the developers of the most recent versions of Joker, which first appeared in late 2020, are using legitimate developer techniques to “try and hide the actual intent of the payload from traditional, legacy-based mobile security toolsets,” which allows them to escape both device-based security and app store protections.
Flutter, a Google-developed open-source app development kit that allows developers to create native apps for mobile, web, and desktop from a single codebase, is one way they’re accomplishing it. The researchers explained, “Due to the commonality of Flutter, even malicious application code will look legitimate and clean, whereas many scanners are looking for disjointed code with errors or improper assemblies”.
Another anti-detection method recently implemented by Joker enthusiasts, according to the research, is the habit of embedding the payload as a.DEX file that may be obfuscated in a variety of ways, such as being encrypted with a number or buried inside a picture via steganography.
According to researchers, the picture is sometimes stored in authorized cloud repositories or on a remote command-and-control (C2) server in the latter scenario.
Other new behaviors include hiding C2 addresses with URL shorteners and decrypting an offline payload using a mix of native libraries.
The new samples also take further steps to remain covert when a trojanized program is loaded, according to researchers.
“After successful installation, the application infected with Joker will run a scan using Google Play APIs to check the latest version of the app in Google Play Store,” researchers explained.
“If there is no answer, the malware remains silent since it can be running on a dynamic analysis emulator. But if the version found in the store is older than the current version, the local malware payload is executed, infecting the mobile device. If the version in the store is newer than the current one, then the C2s are contacted to download an updated version of the payload.”
Consumers and enterprises alike at risk:
The apps are appearing in a variety of places, including Google Play and unauthorized third-party markets, as well as other legitimate channels, some for the first time. For example, the official app store for Huawei Android, AppGallery, was recently discovered to be infected with the Joker virus.
According to Doctor Web, the applications were downloaded to over 538,000 smartphones by unsuspecting users in April.
Saryu Nayyar, CEO at Gurucul, stated in the email, “Sadly, the Joker malware is no joke. And even more depressing, no dark knight is going to ride in to save users from these malicious apps. Users have to manually clean their devices of this pesky malware. The good news is that it appears the only damage is financial and likely temporary. Users who have been subscribed to premium mobile services as a result of this malware can request refunds for said services since the affected applications are known.”
Earlier this year, Josh Bohls, CEO and founder at Inkscreen, said that Joker is an issue for businesses as well as people.
“These malicious applications can find their way into the enterprise when an infected device is enrolled in a company’s bring-your-own-device (BYOD) program, and suddenly you have a new threat vector,” he told via email.