Google removes 17 apps infected with evasive ‘Joker’ malware

Researchers identify three variations in the way the 'fleeceware' strain infects victims' Android devices

Google has removed a further 17 apps embedded with Joker malware after security experts warned of the fleeceware's continued rise in prominence. 

The billing-fraud strain of malware was found in six apps marketing themselves as legitimate in early September, accounting for 200,000 installs. Google has now removed a further 17 apps infected with the malware from the Play Store after researchers with Zscaler alerted the company to their presence.

The malware simulates clicks and intercepts SMS messages to trick users into subscribing to unwanted premium services. These strains of malware, known as fleeceware, are generally difficult to detect because they use minimal code.

The 17 Android apps removed from the Play Store, downloaded around 120,000 times in total, includes All Good PDF Scanner, Mint Leaf Message, Unique Keyboard - Fancy Fonts & Free Emoticons, and Tangram App Lock, among others. These malicious apps also included a host of other messaging platforms, scanners and PDF converters, as well as photo editing tools.

Upon identifying these apps, Zscaler decided to establish the variations in payload deployment, as well as how and why Joker remains so evasive.

In a host of Joker variants, the final payload was delivered using a direct URL received from the command and control (C&C) server. The app, in these cases, had the C&C address hidden in the code with string obfuscation. 

The infected app would contact the C&C server once the app was installed, which would then respond with the URL of a final payload. The JSON file also contained information related to the class name required to be executed from the final payload. The app, on receiving the JSON configuration, downloads the payload and executes it. 

Some apps, alternatively, operated under a one-stage download mechanism, in which the app used an encrypted stager payload URL encoded in the code itself. When infecting a device, the app downloads the stager payload rather than a final payload, which is then tasked with retrieving the final payload and executing it.

Related Resource

Why IT leaders should consider a zero trust network access strategy

Enabling business while staying secure

Download now

The third method observed by researchers involves a complex two-stage download prior to retrieving the payload from the C&C server. This essentially adds an additional step to the previous one-stage download method. 

Through all the variations of the method, the Joker payload remained the same throughout, executing functions that ranged from SMS harvesting to wireless application protocol (WAP) billing fraud.

To prevent the chances of any seemingly legitimate apps compromising users’ privacy and security, Zscaler has recommended ensuring that application permissions for accessing SMS messages, call logs, and contacts are restricted. Reading comments or reviews for many apps may also help to prevent inadvertently downloading malicious software.

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

SonicWall hacked via zero-day flaw in remote access tools
Security

SonicWall hacked via zero-day flaw in remote access tools

25 Jan 2021
Best ransomware removal tools
ransomware

Best ransomware removal tools

22 Jan 2021
Hackers publish over 4,000 files stolen from SEPA in ransomware attack
Security

Hackers publish over 4,000 files stolen from SEPA in ransomware attack

22 Jan 2021
Weekly threat roundup: SAP, Windows 10, Chrome
vulnerability

Weekly threat roundup: SAP, Windows 10, Chrome

21 Jan 2021

Most Popular

How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

21 Jan 2021
WhatsApp could face €50 million GDPR fine
General Data Protection Regulation (GDPR)

WhatsApp could face €50 million GDPR fine

25 Jan 2021
Trump pardons convicted ex-Google engineer Levandowski
intellectual property

Trump pardons convicted ex-Google engineer Levandowski

20 Jan 2021