Google removes 17 apps infected with evasive ‘Joker’ malware

Researchers identify three variations in the way the 'fleeceware' strain infects victims' Android devices

Google has removed a further 17 apps embedded with Joker malware after security experts warned of the fleeceware's continued rise in prominence. 

The billing-fraud strain of malware was found in six apps marketing themselves as legitimate in early September, accounting for 200,000 installs. Google has now removed a further 17 apps infected with the malware from the Play Store after researchers with Zscaler alerted the company to their presence.

The malware simulates clicks and intercepts SMS messages to trick users into subscribing to unwanted premium services. These strains of malware, known as fleeceware, are generally difficult to detect because they use minimal code.

The 17 Android apps removed from the Play Store, downloaded around 120,000 times in total, includes All Good PDF Scanner, Mint Leaf Message, Unique Keyboard - Fancy Fonts & Free Emoticons, and Tangram App Lock, among others. These malicious apps also included a host of other messaging platforms, scanners and PDF converters, as well as photo editing tools.

Upon identifying these apps, Zscaler decided to establish the variations in payload deployment, as well as how and why Joker remains so evasive.

In a host of Joker variants, the final payload was delivered using a direct URL received from the command and control (C&C) server. The app, in these cases, had the C&C address hidden in the code with string obfuscation. 

The infected app would contact the C&C server once the app was installed, which would then respond with the URL of a final payload. The JSON file also contained information related to the class name required to be executed from the final payload. The app, on receiving the JSON configuration, downloads the payload and executes it. 

Some apps, alternatively, operated under a one-stage download mechanism, in which the app used an encrypted stager payload URL encoded in the code itself. When infecting a device, the app downloads the stager payload rather than a final payload, which is then tasked with retrieving the final payload and executing it.

Related Resource

Why IT leaders should consider a zero trust network access strategy

Enabling business while staying secure

Download now

The third method observed by researchers involves a complex two-stage download prior to retrieving the payload from the C&C server. This essentially adds an additional step to the previous one-stage download method. 

Through all the variations of the method, the Joker payload remained the same throughout, executing functions that ranged from SMS harvesting to wireless application protocol (WAP) billing fraud.

To prevent the chances of any seemingly legitimate apps compromising users’ privacy and security, Zscaler has recommended ensuring that application permissions for accessing SMS messages, call logs, and contacts are restricted. Reading comments or reviews for many apps may also help to prevent inadvertently downloading malicious software.

Most Popular

The benefits of workload optimisation

The benefits of workload optimisation

16 Jul 2021
Samsung Galaxy S21 5G review: A rose-tinted experience
Mobile Phones

Samsung Galaxy S21 5G review: A rose-tinted experience

14 Jul 2021
Six ways boards can step up support for cyber security
Business strategy

Six ways boards can step up support for cyber security

22 Jul 2021