Cybersecurity researchers unveiled yet another example of Android malware concealed under the semblance of genuine applications to furtively subscribe gullible users for quality services without their knowledge.
As per reports, the malware, notoriously called Joker, has muddied the malicious DEX executable inside the application as Base64 encoded strings, which are then decoded and loaded on the compromised device.
After the responsible revelation by Check Point researchers, the 11 apps mentioned were removed by Google from the Play Store on April 30, 2020.
“The Joker malware is tricky to detect, despite Google’s investment in adding Play Store protections,” said Check Point’s Aviran Hazum, who identified the new modus operandi of Joker malware. “Although Google removed the malicious apps from the Play Store, we can fully expect Joker to adapt again.”
Joker, first found in 2017, is one of the most widespread types of Android malware, infamous for committing billing scams and its spyware capabilities, including stealing SMS messages, contact lists, and device information.
Operations linking Joker gained more traction last year, with a number of malware-infected Android apps exposed by CSIS Security Group, Trend Micro, Dr.Web, and Kaspersky, recurrently finding exclusive ways to take advantage of holes in Play Store security checks.
To disguise their factual nature, the malware authors behind the extensive operation have resorted to a variety of approaches. “As the Play Store has introduced new policies and Google Play Protect has scaled defenses, Bread apps were forced to continually iterate to search for gaps,” Android’s Security & Privacy Team said earlier this year. “They have at some point used just about every cloaking and obfuscation technique under the sun in an attempt to go undetected.”
As of January 2020, Google has deleted more than 1,700 apps submitted to the Play Store over the past three years that had been infected with the malware.
“To achieve the capability of subscribing the users to premium services without their knowledge or consent, the Joker utilized two main components — the Notification Listener as a part of the original application, and a dynamic dex file loaded from the C&C server to perform the registration,” Hazum noted in his analysis.
Additionally, the variant comes armed with a new feature that lets the threat actor remotely issue a “false” status code from a C&C server under their control to suspend the malicious activity.