Researchers from security firm Check Point discovered samples of the Joker (aka Bread) malware were uploaded on the official Play Store bypassing protections implemented by Google for its users.
“Check Point’s researchers recently discovered a new variant of the Joker Dropper and Premium Dialer spyware in Google Play. Hiding in seemingly legitimate applications, we found that this updated version of Joker was able to download additional malware to the device, which subscribes the user to premium services without their knowledge or consent.” reads the analysis published by CheckPoint.
The Joker utilized two main components, the Notification Listener service that is part of the original application, and a dynamic dex file loaded from the C&C server that is used to subscribe the user to the services.
The malicious DEX executable was obfuscated inside seemingly legitimate applications as Base64 encoded strings, which are then decoded and loaded once the users have downloaded it on its device.
The new version of the Joker malware was able to download additional malware to the compromised device, which subscribes the victim to premium services without their consent.
The fight to the Joker malware (aka Bread) begun in September 2019 when security experts at Google removed from the official Play Store 24 apps because they were infected with a new spyware tracked as “the Joker.”
The Joker malware is a malicious code camouflaged as a system app and allows attackers to perform a broad range of malicious operations, including disable the Google Play Protect service, install malicious apps, generate fake reviews, and show ads.
The spyware is able to steal SMS messages, contact lists, and device information and to sign victims up for premium service subscriptions.
In January, Google revealed it successfully removed more than 1,700 apps from the Play Store over the past three years that had been infected with the Joker malware.
Versions of the Joker malware were involved in toll fraud that consists of tricking victims into subscribing to or purchasing various types of content via their mobile phone bill.
Unfortunately, the malware is under constant development, and fresh Joker samples have been found in February into the official Play Store, according to the experts they were specifically designed to avoid Google’s store checks.
Check Point researchers discovered 11 apps in the Play Store and reported them to Google, which removed them from the store on April 30, 2020.
During their analysis, Check Point researchers detected an “in-between” variant, that was hiding the .dex file as Base64 strings, but instead of adding the strings to the Manifest file it was locating inside an internal class of the main application.
The malicious code reads the strings, decode them from Base64, and load it with reflection.
“During our research, we have also detected an “in-between” variant, that utilized the technique of hiding the .dex file as Base64 strings – but instead of adding the strings to the Manifest file, the strings were located inside an internal class of the main application. In this case, all that was needed for the malicious code to run was to read the strings, decode them from Base64, and load it with reflection.” continues the analysis.
The C&C server used for the latest variant of Joker return “false” on the status code to hide the entire functionality.
“The new payload contained code that the original Joker had in its main dex file – the registration of the NotificationListener service, subscribing the user to premium services, and more. But now, after this change, all that the actor needed in order to hide the entire functionality was to set the C&C server to return “false” on the status code, and none of the malicious activity would occur.” concludes the report.
“If you suspect you may have one of these infected apps on your device, here’s what you should do:
(SecurityAffairs – hacking, Joker)