Late last year we saw the Joker malware surface and spread like wildfire. The latest report from Check Point’s researchers has discovered a new variant of the Joker Dropper and Premium Dialer spyware in the Google Play Store. These were found hiding inside of seemingly legitimate applications. This new updated Joker malware can download additional malware to the device, which in turn subscribes the victim to a number of premium services without their consent.
Meantime, Google has removed 11 apps from the Play Store infected with the notorious Joker malware. The applications include include com.imagecompress.android, com.relax.relaxation.androidsms, com.cheery.message.sendsms (two different instances), com.peason.lovinglovemessage, com.contact.withme.texts, com.hmvoice.friendsms, com.file.recovefiles, com.LPlocker.lockapps, com.remindme.alram and com.training.memorygame.
Joker malware: Everything you need to know
The researchers have said that with small changes to its code the Joker malware to get past the Play store security and vetting barriers. This time along the Joker malware has adopted an old technique from the conventional PC threat landscape to avoid detection by Google. The newly modified Joker virus uses two main components to subscribe, app users to premium services. These components are: Notification Listener service and dynamic dex file loaded from the C&C server.
To minimize the Joker’s code, the developer hid the code by dynamically loading it onto a dex file, while at the same time, ensuring that it is able to completely load when triggered. The code inside of the dex file is encoded as Base64 encoded strings, that start decoding and loading as soon as the victim opens the affected apps.
The original Joker malware communicated with the C&C, and then downloaded the dynamic dex file, which was loaded as cases.dex. However, the new modified version of the code is embedded in a different zone, with the classes.dex file loading a new payload. The malware is triggered by creating a new object that communicates with the C&C.
“The new method is much more complex compared to the process of the original Joker malware. It requires for one .dex file to read a manifest file and then start decoding the payload. After the payload is decoded, it then loads a new .dex file and then infects the device,” Lalit Wadhwa, an Android app developer at Jungle Works told indianexpress.com.
According to the Check Point report, the Base64 strings were located inside an internal class, instead of being added into the Manifest file. This means that the malicious code only needed the device to read the strings, decode them and then load the reflection to infect.
Joker malware: What it does, which all apps are infected and how to fix it
Due to the payload being hidden in Base 64 strings, the only thing that the actor needed to do to hide the file was to set the C&C server to return “false” on the status code, if tests were being run.
Check Point recommends you to check all your apps thoroughly and see if they are from a non-trusted developer. If you feel that you have downloaded an infected file, you should immediately uninstall it. Then you should check your mobile and credit card bills for any irregularities. If there are any talk to the bank and unsubscribe to those charges. Lastly, it is recommended that users should install an anti-virus program on their smartphones to prevent infections.
