Joker malware apps bypassed Google’s Play Store security checks

July 9, 2020  By Pierluigi Paganini


Check Point research discovered that the Joker (aka Bread) Android malware once again has bypassed protections implemented by Google for its Play Store.

Researchers from security firm Check Point discovered samples of the Joker (aka Bread) malware were uploaded on the official Play Store bypassing protections implemented by Google for its users.

“Check Point’s researchers recently discovered a new variant of the Joker Dropper and Premium Dialer spyware in Google Play. Hiding in seemingly legitimate applications, we found that this updated version of Joker was able to download additional malware to the device, which subscribes the user to premium services without their knowledge or consent.” reads the analysis published by CheckPoint.

The Joker utilized two main components, the Notification Listener service that is part of the original application, and a dynamic dex file loaded from the C&C server that is used to subscribe the user to the services.

The malicious DEX executable was obfuscated inside seemingly legitimate applications as Base64 encoded strings, which are then decoded and loaded once the users have downloaded it on its device.

The new version of the Joker malware was able to download additional malware to the compromised device, which subscribes the victim to premium services without their consent.

The fight to the Joker malware (aka Bread) begun in September 2019 when security experts at Google removed from the official Play Store 24 apps because they were infected with a new spyware tracked as “the Joker.

The Joker malware is a malicious code camouflaged as a system app and allows attackers to perform a broad range of malicious operations, including disable the Google Play Protect service, install malicious apps, generate fake reviews, and show ads.

The spyware is able to steal SMS messages, contact lists, and device information and to sign victims up for premium service subscriptions.

In January, Google revealed it successfully removed more than 1,700 apps from the Play Store over the past three years that had been infected with the Joker malware.

Versions of the Joker malware were involved in toll fraud that consists of tricking victims into subscribing to or purchasing various types of content via their mobile phone bill.

Unfortunately, the malware is under constant development, and fresh Joker samples have been found in February into the official Play Store, according to the experts they were specifically designed to avoid Google’s store checks.

Check Point researchers discovered 11 apps in the Play Store and reported them to Google, which removed them from the store on April 30, 2020.

During their analysis, Check Point researchers detected an “in-between” variant, that was hiding the .dex file as Base64 strings, but instead of adding the strings to the Manifest file it was locating inside an internal class of the main application.

The malicious code reads the strings, decode them from Base64, and load it with reflection.

“During our research, we have also detected an “in-between” variant, that utilized the technique of hiding the .dex file as Base64 strings – but instead of adding the strings to the Manifest file, the strings were located inside an internal class of the main application. In this case, all that was needed for the malicious code to run was to read the strings, decode them from Base64, and load it with reflection.” continues the analysis.

The C&C server used for the latest variant of Joker return “false” on the status code to hide the entire functionality.

“The new payload contained code that the original Joker had in its main dex file – the registration of the NotificationListener service, subscribing the user to premium services, and more. But now, after this change, all that the actor needed in order to hide the entire functionality was to set the C&C server to return “false” on the status code, and none of the malicious activity would occur.” concludes the report.

“If you suspect you may have one of these infected apps on your device, here’s what you should do:

  • Uninstall the infected application from the device
  • Check your mobile and credit-card bills to see if you have been signed up for any subscriptions and unsubscribe if possible
  • Install a security solution to prevent future infections”
[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Joker)

[adrotate banner=”5″]

[adrotate banner=”13″]



Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.








  • Digging the Deep Web: Exploring the dark side of the web

    Digging The Deep Web

  • Center for Cyber Security and International Relations Studies

  • Subscribe Security Affairs Newsletter

    newsletter

  • SecurityAffairs awarded as Best European Cybersecurity Tech Blog at European Cybersecurity Blogger Awards

    EU Sec Bloggers Awards 22


More Story

15 billion credentials available in the cybercrime marketplaces

 More than 15 billion username and passwords are available on cybercrime marketplaces, including over 5 billion unique credentials,...