Google removes 17 apps infected with evasive ‘Joker’ malware

Researchers identify three variations in the way the 'fleeceware' strain infects victims' Android devices

Google has removed a further 17 apps embedded with Joker malware after security experts warned of the fleeceware's continued rise in prominence. 

The billing-fraud strain of malware was found in six apps marketing themselves as legitimate in early September, accounting for 200,000 installs. Google has now removed a further 17 apps infected with the malware from the Play Store after researchers with Zscaler alerted the company to their presence.

The malware simulates clicks and intercepts SMS messages to trick users into subscribing to unwanted premium services. These strains of malware, known as fleeceware, are generally difficult to detect because they use minimal code.

The 17 Android apps removed from the Play Store, downloaded around 120,000 times in total, includes All Good PDF Scanner, Mint Leaf Message, Unique Keyboard - Fancy Fonts & Free Emoticons, and Tangram App Lock, among others. These malicious apps also included a host of other messaging platforms, scanners and PDF converters, as well as photo editing tools.

Upon identifying these apps, Zscaler decided to establish the variations in payload deployment, as well as how and why Joker remains so evasive.

In a host of Joker variants, the final payload was delivered using a direct URL received from the command and control (C&C) server. The app, in these cases, had the C&C address hidden in the code with string obfuscation. 

The infected app would contact the C&C server once the app was installed, which would then respond with the URL of a final payload. The JSON file also contained information related to the class name required to be executed from the final payload. The app, on receiving the JSON configuration, downloads the payload and executes it. 

Some apps, alternatively, operated under a one-stage download mechanism, in which the app used an encrypted stager payload URL encoded in the code itself. When infecting a device, the app downloads the stager payload rather than a final payload, which is then tasked with retrieving the final payload and executing it.

Related Resource

Why IT leaders should consider a zero trust network access strategy

Enabling business while staying secure

Download now

The third method observed by researchers involves a complex two-stage download prior to retrieving the payload from the C&C server. This essentially adds an additional step to the previous one-stage download method. 

Through all the variations of the method, the Joker payload remained the same throughout, executing functions that ranged from SMS harvesting to wireless application protocol (WAP) billing fraud.

To prevent the chances of any seemingly legitimate apps compromising users’ privacy and security, Zscaler has recommended ensuring that application permissions for accessing SMS messages, call logs, and contacts are restricted. Reading comments or reviews for many apps may also help to prevent inadvertently downloading malicious software.

Featured Resources

Digital document processes in 2020: A spotlight on Western Europe

The shift from best practice to business necessity

Download now

Four security considerations for cloud migration

The good, the bad, and the ugly of cloud computing

Download now

VR leads the way in manufacturing

How VR is digitally transforming our world

Download now

Deeper than digital

Top-performing modern enterprises show why more perfect software is fundamental to success

Download now

Recommended

Microsoft spearheads industry-wide charter against AI cyber attacks
Security

Microsoft spearheads industry-wide charter against AI cyber attacks

23 Oct 2020
Weekly threat roundup: Chrome, Citrix and WordPress
Security

Weekly threat roundup: Chrome, Citrix and WordPress

23 Oct 2020
IT services giant Sopra Steria falls victim to Ryuk ransomware
Security

IT services giant Sopra Steria falls victim to Ryuk ransomware

23 Oct 2020
CMS platforms succumb to KashmirBlack botnet as businesses rush online
Security

CMS platforms succumb to KashmirBlack botnet as businesses rush online

22 Oct 2020

Most Popular

The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

5 Oct 2020
The enemy of security is complexity
Sponsored

The enemy of security is complexity

9 Oct 2020
What is a 502 bad gateway and how do you fix it?
web hosting

What is a 502 bad gateway and how do you fix it?

5 Oct 2020