Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

7/9/2020
04:50 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

'Joker' Android Malware Pulls Another Trick to Land on Google's Play Store

Authors of the malware, which signs up mobile users for premium services, are repeatedly finding ways to bypass app review checks.

The authors of a particularly persistent Android malware family called "Joker" have once again found a way to sneak their product into Google's official Play mobile app store.

The malware (aka "Bread") is known for subscribing mobile users to premium content without their knowledge and has been floating around since at least early 2017.

Google security researchers previously described Joker as malware that was originally designed for SMS fraud but is now being used for large-scale billing fraud. According to the company, the creators of Joker "have at some point used just about every cloaking and obfuscation technique under the sun in an attempt to go undetected."

The latest gambit to sneak Joker into the Play store actually involves an old technique used in the conventional PC threat landscape, according to researchers from Check Point.

Aviran Hazum, team leader of Check Point's Mobile Malware and Threat Intelligence Team, says the authors of Joker beat Google's security controls this time by hiding the malicious payload in a file called the "Android Manifest" file.

"Without this file, an [Android] application cannot be installed or executed," he says.

Instead of having the Joker dropper downloading the malicious payload from a remote command-and-control server, the newest version just reads developer-inserted fields in the Manifest file, he says. The payload was not executed — or decoded — while the app went through Google's security inspection process when being uploaded to the Play Store.

"So the malware was able to bypass Google's inspection," Hazum says. "In general, Joker is not an easy malware to detect, and on top of that the actor is spending constant efforts to bypass those protections."

Other tricks that Joker has employed to evade detection include geolocation checks to target or avoid specific countries and implementation of malicious behavior in native code.

According to Google, as of January 2020, the company's Play mobile app store security controls had detected and removed at least 1,700 unique Android apps containing Joker.

In the past, the creators of Joker have hidden the malware in seemingly legitimate apps, such as filters, animations, and other camera utility apps. This time around, the malware was hidden in software posing as messaging apps for Android.

"The apps themselves are not legitimate — they are actor-created," Hazum says. "But they do provide some sort of functionality."

Persistent Problem
Once the fake app is installed on a system, it uses code downloaded from a command-and-control server to register users to premium services. It then takes advantage of an Android feature called "Notification Listener" to quietly intercept and kill any registration confirmation notifications that might be sent to the unsuspecting user's device.

"Notification Listener is a service that is called by the operating system whenever a notification event occurs," Hazum says.

By using the service, Joker is able to read the content of all incoming notifications, including SMS notifications. This allows the malware to intercept and remove any registration verification codes that might be sent to the Android user, thereby keeping them in the dark about what had just happened, he noted.

Both Google and Apple have spent considerable efforts deploying layered security controls to prevent developers from uploading malware-laden applications to their respective mobile app stores. Security researchers generally agree the app review efforts have made the stores, particularly the Apple App Store, considerably more secure in recent years. The number of malicious apps — as a proportion of the overall number of application on these app stores — still remains very small.

Even so, bad actors have been able to continue uploading malicious software — mainly to Google Play — relatively frequently. In 2019, for instance, RiskIQ detected 25,647 apps on the Google Play Store as being malicious. Though the number represented a more than 76% decline from the 108,770 malicious applications detected in 2018, it still presented a risk to users who trusted the store to be safe.

"Google and Apple invest a lot in security research, but that's not enough," Hazum says. "As we have shown time after time, malware is  still able to bypass market security," he says. "Security vulnerabilities are discovered in a constant basis, and if your device is not patched, you are vulnerable."

Related Content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Average Cost of a Data Breach: $3.86 Million
Jai Vijayan, Contributing Writer,  7/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-18112
PUBLISHED: 2020-08-05
Affected versions of Atlassian Fisheye allow remote attackers to view the HTTP password of a repository via an Information Disclosure vulnerability in the logging feature. The affected versions are before version 4.8.3.
CVE-2020-15109
PUBLISHED: 2020-08-04
In solidus before versions 2.8.6, 2.9.6, and 2.10.2, there is an bility to change order address without triggering address validations. This vulnerability allows a malicious customer to craft request data with parameters that allow changing the address of the current order without changing the shipm...
CVE-2020-16847
PUBLISHED: 2020-08-04
Extreme Analytics in Extreme Management Center before 8.5.0.169 allows unauthenticated reflected XSS via a parameter in a GET request, aka CFD-4887.
CVE-2020-15135
PUBLISHED: 2020-08-04
save-server (npm package) before version 1.05 is affected by a CSRF vulnerability, as there is no CSRF mitigation (Tokens etc.). The fix introduced in version version 1.05 unintentionally breaks uploading so version v1.0.7 is the fixed version. This is patched by implementing Double submit. The CSRF...
CVE-2020-13522
PUBLISHED: 2020-08-04
An exploitable arbitrary file delete vulnerability exists in SoftPerfect RAM Disk 4.1 spvve.sys driver. A specially crafted I/O request packet (IRP) can allow an unprivileged user to delete any file on the filesystem. An attacker can send a malicious IRP to trigger this vulnerability.