The original Joker malware was identified on Play Store back in September 2019.
Android is faced with a multitude of hostile malware families that try to find their way back in from time to time. One such malware strain happens to be the Joker which has also been previously caught tricking users into subscribing to premium services without their consent.
This time, it’s back to do the same albeit with a different technique in order to evade Google’s security filters. This is alarming for Android users since just yesterday it was reported that dangerous Cerberus banking trojan was also found on Google Play Store.
Reported by Checkpoint, the new variant makes use of a couple of components to do its job – a notification listener service which is a part of the legitimate applications, and a “dynamic dex file” that it retrieves from its C2 server in order to make users successfully subscribe.
According to the researchers, a new technique at play in this variant is that it,
“Now hides the malicious dex file inside the application as Base64 encoded strings, ready to be decoded and loaded.”
Another interesting aspect in this is that unlike before, the dex file is also retrieved with the help of the Manifest file which is present inside each application.
Furthermore, the researchers state that another “in-between” variant was also spotted which they believe “utilized the technique of hiding the .dex file as Base64 strings – but instead of adding the strings to the Manifest file, the strings were located inside an internal class of the main application.
In this case, all that was needed for the malicious code to run was to read the strings, decode them from Base64, and load it with reflection.”
The infected apps include the following in the table listed below. One can verify if they have installed any such app by going through the package names. For users that have, it is recommended to uninstall the application and also check your credit/debit card statements for any unauthorized charges.
Package Name com.remindme.alram com.file.recovefiles com.hmvoice.friendsms com.LPlocker.lockapps com.training.memorygame com.contact.withme.texts com.imagecompress.android com.cheery.message.sendsms com.peason.lovinglovemessage com.relax.relaxation.androidsms
Concluding, for the future, neither do we nor does Google have any answers on how to prevent evolving malware from penetrating legitimate applications despite increasing security in place. The only solution seems to be user vigilance which we’ve pointed out quite a lot of times before.
Use reliable anti-virus software, scan your device regularly, and avoid downloading unnecessary apps from Play Store and third-party platforms. Always check the authenticity of app reviews, the developer’s reputation, and other details such as the total number of installations before letting an app in on your device.