It seems Google’s Play Store did not hear the joker laughing. Confused? Yes, it is true! An old yet familiar malware family, the Joker malware, has been found to be secretly hiding out in legitimate Google Play applications. According to the researchers, the new variant is an improvised version of the previously known malware, which downloads additional payloads and also subscribes app users to premium services without their knowledge and consent.
The Joker’s First Laugh
This Joker malware first surfaced in 2017. It was one of the most commonly infested type of Android malware used in carrying-out billing frauds and its spying capabilities meant that it was extensively used in stealing SMS messages, contact lists, and device information. Ever since, the Joker malware has been prevalent in several cybercriminal activities under various names, as researchers suggest.
Joker Malware’s Evolution
The new variant, which was first discovered by Check Point researchers Aviran Hazum, Bogdan Melnykov, and Israel Wernik, leverages the app’s manifest file that loads a Base64 encoded DEX file. The .dex file is hidden as Base64 strings and added as an inner class in the main application. This loads it via the reflection APIs.
Referring to its additional capabilities, Aviran Hazum said, “To achieve the capability of subscribing users to premium services without their knowledge or consent, the Joker utilized two main components — the Notification Listener as a part of the original application, and a dynamic dex file loaded from the C&C server to perform the registration.”
Joker Malware also has an additional feature that remotely issues a “false” status code from a C&C server under the threat actors’ control, which helps in disguising the malicious activity as a legit one.
Joker Malware IOCs