The Joker Malware Infects More Play Store Apps Using New Tricks Under Its Sleeves

The Joker

As mobile devices have become common, hackers know where to exactly target their campaigns for maximum reach.

The malicious actors can do this by developing apps, and infect them with malware. These apps are then uploaded and marketed on app stores for maximum exposure, in order to get the most amount of potential victims.

And among the malware hackers can use, is using the notorious Joker.

What began in 2019, the Joker has since been tweaked and developed to infect more apps, and also infect apps on Huawei.

While Google has improved the Android ecosystem, the Google Play Store was still riddled with the Joker, as even more malware was found.

As if making another round, yet more apps with the Joker malware have been found.

Cybersecurity researchers at Zscaler have found that a total of 11 apps that were infected with the Joker malware and were found on the Play Store, in which together, have managed to earn 30,000 installs on the store.

According to Zscaler's blog post:

"Joker is one of the most prominent malware families targeting Android devices. Despite public awareness of this particular malware, it keeps finding its way into Google’s official application market by employing changes in its code, execution methods, or payload-retrieving techniques. This spyware is designed to steal SMS messages, contact lists, and device information, and to sign the victim up for premium wireless application protocol (WAP) services."

The apps included:

  1. Free Affluent Message.
  2. PDF Photo Scanner.
  3. delux Keyboard.
  4. Comply QR Scanner.
  5. PDF Converter Scanner.
  6. Font Style Keyboard.
  7. Translate Free.
  8. Saying Message.
  9. Private Message.
  10. Read Scanner.
  11. Print Scanner.

The researchers found that the apps offered features for productivity, communication and other utilities like keyboards.

Joker apps
10 of the 11 apps with the Joker malware. (Credit: Zscaler)

What made the apps flew past Google's radar, is its ever-changing methods.

"Joker is well known for changing its tactics to bypass the Google Play store vetting process. This time we saw Joker using URL shortener services to retrieve the first level of payload. Unlike the previous campaign where the payloads were retrieved from the Alibaba Cloud, in this campaign we saw the Joker-infected apps download the mediator payload with URL shortener services like TinyURL, bit.ly, Rebrand.ly, zws.im or 27url.cn to hide the known Cloud service URLs serving stage payloads."

In other words, the malicious actors behind the malware have given the Joker some new tricks under its sleeves.

Things go beyond that, as the Joker malware payloads can also abuse the notification access functionality.

Once installed, the malware prompts for notification access. Giving it access will allow the malware to potentially read all notifications posted by the device and any other installed apps. Once these settings have been allowed by the user, the malware has the control it needs to carry out its malicious activities.

Among the 11 apps, the app Font Style Keyboard was found to incorporate new changes from the older payloads.

And unlike previous Joker campaigns, the app has a stage payload that is also doing command and control communication.

Android malware is becoming increasingly prevalent as more and more users come online.

With malware like the Joker, people's sensitive data can be stolen, victims can have their privacy compromised, and can be signed up for premium services without their consent or knowledge.

Making things worse, The Joker malware is an infamous example of Android malware, which can spread undetected via the Google Play Store.

Example of the Joker's execution flow
Example of the Joker's execution flow. (Credit: Zscaler)
"The Joker malware authors are very active and innovating on their tactics in their attempts to bypass the vetting process of the Google Play store. Judging by the number of payloads uploaded to Google Play, we can safely say that the Joker malware authors are succeeding in their efforts."

Malware is the best and easiest way for malicious actors to get a foothold inside their victims' device.

By creating backdoors, or having compromised devices to do things they wish, hackers can see or access to almost everything their victims have and store on their devices.

The Google Play Store is not the only place that Joker malware can be found, as the same apps are also uploaded to other third-party app stores as well, due to those stores’ regular crawling activities on the Google Play Store.

Fortunately, Google has been quick, as it has removed the apps as soon as the researchers notified them.

Unfortunately, the said apps can live longer on third-party app stores that do not perform these same actions. What's more, knowing that the people behind the Joker is continuously developing the malware, there is no saying when the infection will end.

Published: 
27/07/2021