Check Point’s researchers recently discovered a new variant of the Joker Dropper and Premium Dialer spyware in Google Play
July 2020 by Check Point
Billing Fraud Malware Bypasses Google Play Store Protections again the infamous malware, known as Joker, adapts to hide in the “essential information” file every Android app is required to have, invisibly subscribing victims to premium services without their knowledge.
Recently, Check Point researcher, Aviran Hazum, identified a new method the Joker malware has been leveraging. This time, the Joker malware hides malicious code inside what’s called the “Android Manifest” file of a legitimate application. Every application must have an Android Manifest file in its root directory. The manifest file provides essential information about an app, such as name, icon and permissions, to the Android system, which the system must have before it can run any of the app’s code. This way, the malware does not need to access a C&C server, which is a computer controlled by a cybercriminal used to send commands to systems compromised by malware, to download the payload, the portion of the malware which performs the malicious action.
Aviran Hazum outlined Joker’s new method in three steps:
1. Build payload first. Joker builds its payload beforehand, inserting it into the Android Manifest File.
2. Skip payload loading. During evaluation time, Joker does not even try to load the malicious payload, which makes it a lot easier to bypass Google Play Store protections.
3. Malware spreads. After the evaluation period, after it’s been approved, the campaign starts to operate, malicious payload decided and loaded.
Responsible Disclosure Check Point researchers responsibly disclosed its findings to Google. All reported applications (11 apps) were removed from the Play Store by April 30, 2020.
Quote: Aviran Hazum, Manager of Mobile Research:
“Joker adapted. We found it hiding in the “essential information” file every Android application is required to have. Our latest findings indicate that Google Play Store protections are not enough. We were able to detect numerous cases of Joker uploads on a weekly basis to Google Play, all of which were downloaded by unsuspecting users. The Joker malware is tricky to detect, despite Google’s investment in adding Play Store protections. Although Google removed the malicious apps from the Play Store, we can fully expect Joker to adapt again. Everyone should take the time to understand what Joker is and how it hurts everyday people.”
How to Stay Protected
If you suspect you may have one of these infected apps on your device, here’s what you should do:
• Uninstall the infected application from the device
• Check your mobile and credit-card bills to see if you have been signed up for any subscriptions and unsubscribe if possible
• Install a security solution to prevent future infections