After removing six apps infected with the Joker malware earlier in Sep, Google has now removed 16 more apps from its Play Store.
The Joker malware, a billing-fraud strain of malware, has proven to be a persistent threat for Google Android. Despite the company’s relentless efforts, it’s still found in apps available on the Play Store.
In September, Google removed six such apps, which were infected with the Joker malware, as identified by Pradeo cybersecurity firm. These apps had a total of 200,000 downloads but in July 2020, the Joker malware was once again witnessed on Play Store.
Now, according to a report from cybersecurity firm Zscaler, Google has removed 16 more apps for the same reason. These apps were uploaded to the Play Store in September and had 120,000 downloads.
Zcaler’s Viral Gandhi explained that Joker is a spyware that can simulate clicks. It is called fleeceware, designed for stealing contact lists, SMS messages, and device information from the phone, apart from discreetly subscribing for “premium wireless application protocol (WAP) services.”
Joker malware is difficult to detect since it used minimal code. Zscaler researchers tried to understand how it remains so evasive and its payload deployment variations. They learned that the final payload is delivered via a direct URL in most of its variants, which the C&C server sends to the apps. The apps already have the C&C server address hidden inside their code with string obfuscation.
The apps contacted the C&C server soon after installing and then accepting the URL containing the final payload configuration in a JSON file. The file also includes information on the class name it needs to execute itself from the payload. After receiving the configuration, the app downloads and executed the final payload.
Some apps use single-step download mechanisms where an encrypted stager payload URL is encoded in the code. So after infecting the device, instead of downloading the final payload, the app downloads the encrypted stager payload to retrieve the payload and execute it.
There is a third method that some of the apps used for the execution of the payload. It is a complicated method involving an additional step before retrieving the payload from the C&C server.
Researchers also noted that despite several variations, the Joker payload remained the same throughout and performed similar functions.
We recommend paying close attention to the permission list in the apps that you install on your Android device. Always watch out for the risky permissions related to SMS, call logs, contacts, and more. Reading the comment or reviews on the app page also helps identify compromised apps, researcher said in a blog post.
Here’s a full list of the apps compiled by researchers:
Private SMS Care Message Part Message Blue Scanner Desire Translate Direct Messenger Paper Doc Scanner Tangram App Lock Style Photo Collage Meticulous Scanner All Good PDF Scanner Talent Photo Editor - Blur focus Mint Leaf Message-Your Private Message Hummingbird PDF Converter - Photo to PDF Unique Keyboard - Fancy Fonts & Free Emoticons One Sentence Translator - Multifunctional Translator
Zscaler notified Google about the apps infected with Joker malware, and the company’s IT team promptly removed them.