Security researchers from Zscaler spotter 17 apps in the Play Store that were infected with the Joker (Bread) malware.
The Joker malware is a malicious code camouflaged as a system app and allows attackers to perform a broad range of malicious operations, including disable the Google Play Protect service, install malicious apps, generate fake reviews, and show ads.
The spyware is able to steal SMS messages, contact lists and device information along with to sign victims up for premium service subscriptions.
In October, Google has removed from Google Play 24 apps because they were infected with Joker malware, the 24 malicious apps had a total of 472,000 installs.
In January, Google successfully removed more than 1,700 apps from the Play Store over the past three years that had been infected with the Joker malware.
In February, the infamous Joker malware has found a way to bypass the security checks to be published in the official Play Store, Check Point researchers discovered a new clicker.
In July, Google removed another batch of apps infected with the Joker malware that was discovered by security researchers from Anquanke, the malicious applications had been active since March and allegedly infected millions of devices.
Early September Google removed another six apps that have been spotted by security researchers from Pradeo.
Now Google removed 17 new Android apps, which were reported by ZScaler, from the Play Store.
“Our Zscaler ThreatLabZ research team has been constantly monitoring the Joker malware. Recently, we have seen regular uploads of it onto the Google Play store.” reads the post published by ZScaler. “Once notified by us, the Google Android Security team took prompt action to remove the suspicious apps (listed below) from the Google Play store.”
According to the experts the 17 different samples were uploaded to Google Play in September 2020 and they had a total of 120,000 downloads.
Below the list of the infected apps discovered on the Google Play store:
The analysis published by ZScaler includes details about the tactics used by the Joker malware author to bypass the Google Play vetting process.
In a first attack scenario detailed by the experts, for some of the Joker variants, the final payload was delivered via a direct URL received from the C2 server. In this variant, the C&C address was hidden in the code itself with string obfuscation.
In a second download scenario, some infected apps used a stager payload to retrieve the final payload. In this case, the stager payload URL encoded in the code itself was encrypted using Advanced Encryption Standard (AES).
In a third scenario, some groups of infected Google Play store apps were using two-stager payload downloads to retrieve the final payload. The Google Play infected app downloads the stage one payload, which in turn downloads the stage two payload, which finally loads the end Joker payload.
Unlike previous two scenarios, the infected app contacts the C&C server for stage one payload URL, which hides it in response location header.
Additional technical details, including Indicators of Compromise (IoCs), are included in the report published by ZScaler.
“We recommend paying close attention to the permission list in the apps that you install on your Android device. Always watch out for the risky permissions related to SMS, call logs, contacts, and more. Reading the comment or reviews on the app page aslo helps identify compromised apps.” concludes the report.
(SecurityAffairs – hacking, Google Play)