The Joker mobile trojan is back, experts spotted multiple malicious apps on the official Google Play store that were able to evade scanners.
Experts reported an uptick in malicious Android apps on the official Google Play store laced with the Joker mobile trojan.
The Joker malware is a malicious code camouflaged as a system app and allows attackers to perform a broad range of malicious operations, including disable the Google Play Protect service, install malicious apps, generate fake reviews, and show ads.
The spyware is able to steal SMS messages, contact lists, and device information and to sign victims up for premium service subscriptions.
Since 2019 experts found many Joker apps on Google Play store, in September 2019 security experts at Google removed from the store 24 apps.
In April 2021, more than 500,000 Huawei users were infected with the Joker malware after they have downloaded tainted apps from the company’s official Android store.
According to security firm Zimperium, more than 1,800 Android apps infected with Joker have been removed from the Google Play store in the last four years and at least 1,000 new samples have been detected just since September.
“Recently, the Zimperium zLabs mobile threat research team has noticed a large uptick in Joker variants on Android marketplaces, with over 1000 new samples since our last coverage in September of 2020. These variants were found using the same malware machine learning engine powering zIPS on-device detection and Google’s App Alliance, proving that on-device detection capabilities are a must to ensure full protection of an enterprises’ mobile endpoints.” states a post published by the experts.
Experts pointed out that threat actors have routinely found new and unique ways to upload the tainted apps in official and unofficial app stores. The periodic wave of attacks shows that authors continue to modify the malware to evade detection.
The developers behind the most recent version of Joker, which appeared in the threat landscape at the end of 2020, are using legitimate developer techniques to “try and hide” the malicious activity. Vxers are starting to use the common legitimate Google open-source app development kit Flutter in the development process to create applications that can bypass traditional scanners appearing as clean.
The developers are embedding Joker as a payload that can be encrypted in different ways, either a .dex file xored or encrypted with a number, or through the same .dex file as before. The payload is hidden inside an image using steganography to evade scanner detection.
The image are hosted on legit cloud file hosting services and the malware uses a combination of native libraries to decrypt the offline payload from the APK’s assets or connect to C&C for the payload.
The most recent Joker malware samples also includes for the first time URL shorteners and check the current time against a hardcoded launch-time.
“After successful installation, the application infected with Joker will run a scan using Google Play APIs to check the latest version of the app in Google Play Store,” continues Zimperium. explained. “If there is no answer, the malware remains silent since it can be running on a dynamic analysis emulator. But if the version found in the store is older than the current version, the local malware payload is executed, infecting the mobile device. If the version in the store is newer than the current one, then the C2s are contacted to download an updated version of the payload.”
Joker malware is a serious threat, the ability of its developers and their efforts in bypassing security scanners of the official store pose a serious risk mobile users.
Follow me on Twitter: @securityaffairs and Facebook
Pierluigi Paganini
International Editor-in-Chief
Cyber Defense Magazine