Information security experts in 2017 first discovered the Joker malware (or Bread, in Google terminology). Joker has developed rapidly and even entered Google Play earlier this year. However, it was nevertheless cleared from there in all cases.
Initially, the malware was developed for SMS fraud, but since then much has changed, especially after the introduction of a new policy restricting the use of SEND_SMS, as well as increasing the protection of Google Play Protect.Because of this, new versions of Joker used a different type of fraud: they tricked their victims into subscribing to various types of content or buying it, paying from a mobile phone bill. To accomplish this without user interaction, malware operators used click injections, custom HTML parsers, and SMS receivers.
Over time, Joker has evolved so much that it has used almost all the well-known hiding and obfuscation techniques, and at the beginning of this year, more and more Joker options were found on Google Play, some of the components of which were moved to the native code.
Now, experts from Check Point have announced that they have again found Joker in the official app catalog.
Joker is constantly changing, adapting to new conditions. We found that it is hiding in a file with the necessary information, the file that is contained in each Android application”, — says Aviran Hazum, Mobile Research Specialist at Check Point Software Technologies.
This time, the malware hid malicious code (the malicious DEX executable encoded by Base64) inside the manifest file in legitimate applications. The manifest file is stored in the root folder of the application and contains important information that the Android system needs, including information about the name, icon and necessary rights. Only after receiving data from the manifest, the system can execute any application code.
This time, the Joker attack was conduted in three stages. The first step is preparing the payload. Joker operators injected malicious code into the manifest file in advance, but the direct payload was not immediately downloaded. So, during the checks, Joker did not even try to download a malicious payload, which helped the malware operators once again deceive the Google Play Store protection tools. Only after the security mechanisms in the Google Play Store approved the application, the payload was determined and downloaded directly to the victim’s device.
As a result, a new variation of Joker could download additional malware to the device that secretly signed the victim to paid services. In the official Google directory, were found 11 such infected applications that were removed from the Play Store until April 30, 2020.
Our recent research shows that Google Play Store protection is not enough. We have revealed weekly numerous instances of Joker downloading to Google Play, each of which was produced by unsuspecting users”, – says Aviran Hazum.
According to Check Point, Joker malware is hard to detect despite Google’s investment in Play Store security.
Although Google has now removed the malicious applications from the Play Store, it can be assumed that Joker will return again. Each user should know about this program and understand how you can suffer from it.