Joker Malware – New Tricks on an Old Dog
The ‘Joker’ malware, first discovered in 2017, has once again found its way onto the Google Play Store, Google’ official Android app store. Originally designed to perform SMS fraud, the unknown threat actor behind the Joker malware have since evolved to become focused on a type of attack known as ‘toll fraud.’ Toll fraud is a type of mobile billing fraud in which users are tricked into subscribing to or purchasing content via their mobile phone bill. This change in tactics can be attributed to the new Play Store policies implemented by Google that restrict the use of SEND_SMS permissions and increase Google Play Protect’s coverage.
This new variant of Joker was able to successfully infiltrate the Play Store and infect Android users by hiding the malicious payload as a DEX file hidden in the form of Base64 encoded strings within a benign looking apps’ AndroidManifest files. These files are used to provide Android build tools, the Android OS, and the Google Play Store with essential information about the applications. Thanks to this process, the malware is able to successfully avoid detection while being analyzed during the submission process and eliminates the need for the malware to connect to a command and control server to download any additional malicious components onto the compromised device.
According to Check Point’s Manager of Mobile Research, Aviran Hazum, the new method of infection used by Joker includes three steps:
- Build the payload first – Joker builds its payload beforehand, inserting it into the AndroidManifest file
- Skip payload loading – During the submission process, Joker does not even try to load the malicious payload, which makes it a lot easier to bypass Google’s Play Store protections
- Malware spreads – After the submission process and the application has been approved, the campaign starts to operate
In many ways, the Joker malware has adapted and is able to hide within the essential information file that every Android application is required to have. This new variant has proved that Google’s Play Store protections are not enough, as Check Point has detected numerous cases of Joker uploads on a weekly basis to Google Play.
Users who suspect they may have been infected by a Joker-infested application should immediately remove the suspected application from their phone and should check their mobile and credit card bills for new subscriptions and immediately cancel.
For a set of known Joker malware indicators of compromise, please see the attached PDF at the end of this article, titled “Joker IOCs.”
Sources: