Check Point researchers in their latest report found a new variant of Joker Dropper and Premium Dialer spyware in the Google Play Store. The malware was found hiding in ‘seemingly legitimate applications’. The latest version found can download additional malware into the affected device. It then subscribes users to premium services without their knowledge or consent.
A list of malicious apps
In 2019, Joker malware attacks spread like wildfire on multiple devices. In addition, Google has removed 11 apps from its Play Store that are reportedly infected by the Joker malware. The applications are enlisted as follows:
- com.cheery.message.sendsms (two different instances)
- com.contact.withme.texts com.hmvoice.friendsms
Earlier this year, Google removed nearly 1,700 applications from its Play Store that were infected with malware similar to Joker. A new report suggests the malware is tricky to spot, which tells us about the possibility of a come back on the Play Store.
The Joker malware, after entering the device steals the user’s money by subscribing them to paid subscriptions. First, the malware interacts with ads and then steals the user SMS messages along with One time password (OTP) and other payments.
To conceal the fraud from the victim, Joker deletes messages on the affected phone. Attacked users will not know about the sign up for paid subscription service and the money deducted from the account. Unless or until they receive a message or notification from the bank about the deduction through their credit card.
According to the report, Joker malware finds its way into the Google Play Store market with the help of small changes to its code. This change will enable the malware to bypass security and vetting constraints.
This time, the attacker went for an old technique from the conventional PC threat landscape and used it in the mobile app to avoid detection by Google. The Joke malware used two main components to attack “the Notification Listener service that is part of the original application, and a dynamic dex file loaded from the C&C server to perform the registration of the user to the services,” said the report.
To minimize the Joker footprint, the hacker cleverly hid the file by dynamically loading it on the dex file, also ensuring it will be able to load completely when triggered. The malicious dex file is hidden inside the Base64 encoded strings, here it is ready to be decoded and loaded.
Normally, the code communicates with the C&C and the dynamic dex file is located inside the main class.dex file which is then downloaded. However, the malware gets triggered by creating a new object with the C&C. Now a new modified version of the code is embedded in a different zone along with the classes.dex file for a new payload is loaded.
Check Point suggests users to check all apps to find out any non-trusted developer apps installed on the device. When the user finds such an application, it should be uninstalled. Users also need to check their bank and credit cards for any unauthorized payments. If users find such payments, they need to unsubscribe from those charges. Users are suggested to install an effective anti-virus to avoid any such attacks in the future.
Whenever Joker malware got caught, Google added new methods to its screening process for applications on the Play Store to avoid threats. However, the core functionality of the Joker malware remains the same but changes its methods to attack. Check Point warns of the possibility of many more malicious apps in the play store.