Home News Joker Malware Laughs Again; Bypasses Google Play’s Security

Joker Malware Laughs Again; Bypasses Google Play’s Security

325
0
SHARE
joker malware, joker, malware, Android malware
SHARE

It seems Google’s Play Store did not hear the joker laughing. Confused? Yes, it is true! An old yet familiar malware family, the Joker malware, has been found to be secretly hiding out in legitimate Google Play applications. According to the researchers, the new variant is an improvised version of the previously known malware, which downloads additional payloads and also subscribes app users to premium services without their knowledge and consent.

The Joker’s First Laugh

This Joker malware first surfaced in 2017. It was one of the most commonly infested type of Android malware used in carrying-out billing frauds and its spying capabilities meant that it was extensively used in stealing SMS messages, contact lists, and device information. Ever since, the Joker malware has been prevalent in several cybercriminal activities under various names, as researchers suggest.

Joker Malware’s Evolution

The new variant, which was first discovered by Check Point researchers Aviran Hazum, Bogdan Melnykov, and Israel Wernik, leverages the app’s manifest file that loads a Base64 encoded DEX file. The .dex file is hidden as Base64 strings and added as an inner class in the main application. This loads it via the reflection APIs.

Referring to its additional capabilities, Aviran Hazum said, “To achieve the capability of subscribing users to premium services without their knowledge or consent, the Joker utilized two main components — the Notification Listener as a part of the original application, and a dynamic dex file loaded from the C&C server to perform the registration.”

Joker Malware also has an additional feature that remotely issues a “false” status code from a C&C server under the threat actors’ control, which helps in disguising the malicious activity as a legit one.

Joker Malware IOCs

db43287d1a5ed249c4376ff6eb4a5ae65c63ceade7100229555aebf4a13cebf7 (com.imagecompress.android)

d54dd3ccfc4f0ed5fa6f3449f8ddc37a5eff2a176590e627f9be92933da32926 (com.contact.withme.texts)

5ada05f5c6bbabb5474338084565893afa624e0115f494e1c91f48111cbe99f3 (com.hmvoice.friendsms)

2a12084a4195239e67e783888003a6433631359498a6b08941d695c65c05ecc4 (com.relax.relaxation.androidsms)

96f269fa0d70fdb338f0f6cabf9748f6182b44eb1342c7dca2d4de85472bf789 (com.cheery.message.sendsms)

0d9a5dc012078ef41ae9112554cefbc4d88133f1e40a4c4d52decf41b54fc830 (com.cheery.message.sendsms)

2dba603773fee05232a9d21cbf6690c97172496f3bde2b456d687d920b160404 (com.peason.lovinglovemessage)

46a5fb5d44e126bc9758a57e9c80e013cac31b3b57d98eae66e898a264251f47 (com.file.recovefiles)

f6c37577afa37d085fb68fe365e1076363821d241fe48be1a27ae5edd2a35c4d (com.LPlocker.lockapps)

044514ed2aeb7c0f90e7a9daf60c1562dc21114f29276136036d878ce8f652ca (com.remindme.alram)

f90acfa650db3e859a2862033ea1536e2d7a9ff5020b18b19f2b5dfd8dd323b3 (com.training.memorygame)

SHARE

Subscribe Now to receive Free Newsletter

* indicates required


By submitting this form, you are consenting to receive marketing emails from: EC-Council, 101 C Sun Ave. NE, Albuquerque, NM, 87109, http://www.eccouncil.org. You can revoke your consent to receive emails at any time by using the SafeUnsubscribe® link, found at the bottom of every email. Emails are serviced by Constant Contact