The fight to the Joker malware (aka Bread) begun in September 2019 when security experts at Google removed from the official Play Store 24 apps because they were infected with a new spyware tracked as “the Joker.”
The Joker malware is a malicious code camouflaged as a system app and allows attackers to perform a broad range of malicious operations, including disable the Google Play Protect service, install malicious apps, generate fake reviews, and show ads.
The spyware is able to steal SMS messages, contact lists, and device information and to sign victims up for premium service subscriptions.
In January, Google revealed it successfully removed more than 1,700 apps from the Play Store over the past three years that had been infected with the Joker malware.
Most recent versions of the Joker malware were involved in toll fraud that consists of tricking victims into subscribing to or purchasing various types of content via their mobile phone bill.
Unfortunately, the malware is under constant development, and new samples that have been found in the official Play Store were specifically designed to avoid Google’s store checks.
Experts from Check Point researchers have recently discovered a new clicker malware family, along with some fresh samples of the Joker spyware in Google Play. A clicker is used by crooks in ad fraud to mimic user clicks on advertisements.
The new samples in the Play Store found by the experts are
The following tainted apps were
The authors of the Joker malware attempt to hide its functionality by modifying the used strings, the recently discovered samples utilized a simple XOR cipher with a static key.
“While avoiding the US and Canada, this Joker campaign proves the quick
Once the malware has checked the region of the target device, it will contact the C2 server to load a configuration file containing a URL for another payload that is downloaded and executed.
The subscription process is totally invisible to the user because the URLs for the premium services are opened in a hidden
“With access to the notification listener, and the ability to send SMS, the payload listens for incoming SMS and extract the premium service confirmation code (2FA) and sends it to the “Offer Page”, to subscribe the user to that premium service.” continues the report. “But how does the malware subscribe the user to those services in the first place, you might ask. Inside the configuration received from the C&C server, a list of URLs to contact (“Offer pages”) is processed and opened in a hidden
Check Point researchers discovered a new clicker malware family, tracked as Haken, that was hidden in eight apps on the Play Store that collectively have more than 50,000 installations.
“The Haken clicker utilizes native code and injection to Facebook and AdMob libraries while communicating with a remote server to get the configuration.” continues the analysis.
“The first entry point of the Haken clicker is the receiver called ‘
Usually, the tainted apps were asking for permissions that the legitimate app does not need.
Haken leverages these permissions to load a native library (‘
“One worker communicates with the C&C server to download a new configuration and process it, while the other is triggered by the timer, checks for requirements and injects code into the Ad-related Activity classes of well-known Ad-SDK’s like Google’s AdMob and Facebook” states Check Point.
The report includes IoCs and the list of malicious apps, urging users to remove them from their devices.