Fresh Joker Malware Variant Targeting Android UsersDozens of Trojanized Apps Found in Google Play, Third-Party App Stores
The two security firms found dozens of these Trojanized apps, which can bypass security protections.
Once installed, the Joker apps can steal SMS messages, contact lists and device information from infected Android smartphones. The malware also can automatically sign up victims for premium services from various websites, according to a July report from Check Point Research (see: Updated Joker Android Malware Adds Evasion Techniques).
Zimperium analysts found 64 Joker malware apps over the last month, most of which were lurking in third-party app stores. Meanwhile, Zscaler found 17 malicious apps that had been downloaded over 120,000 times since the start of September. Many of these found their way into the Google Play store.
"Despite awareness of this particular malware, it keeps finding its way into Google’s official application market by employing changes in its code, execution methods or payload-retrieving techniques," Viral Gandhi, a researcher with Zscaler, notes.
Over the last three years, Google has removed thousands of these apps from Google Play.
When researchers contacted Google about the last round of Joker apps, Google promptly removed the 64 apps in question from Google Play. A Google spokesperson could not be immediately reached Tuesday for additional comment.
New Evasive Techniques
In most cases, the Trojanized Joker apps are disguised as games, wallpaper or other benign apps, according to the reports. In some cases, the malware is a knockoff of a legitimate app, which can trick users into downloading it to their Android device.
The Zimperium and Zscaler analysts note that many Joker apps do not contain malware, which is one way these apps avoid security protocols. Instead, the apps contain obfuscated code that acts as a dropper, awaiting instructions from a command and control server. In some cases, the threat actors will wait for hours or even days after the app is installed before sending further instructions to install malware.
The Zimperium report notes that these apps deploy several techniques to hide their true purpose. In one method, the Joker app mirrors the same user interface found in a legitimate app and displays a screen with a progress bar to note "loading data." This is used to disguise the payload that is downloaded onto the user's device. In an attempt to remain anonymous, the malware uses AES encryption to hide malicious code while downloading the final payload in the application.
In other cases, the Joker developers hid a malicious DEX file - a Windows developer feature - inside the malicious apps. To a security tool, this file would appear similar to a third-party package incorporated into an app, according to the Zimperium report.
"The purpose of this is to make it harder for the malware analyst to spot the malicious code, as third-party libraries usually contain a lot of code and the presence of additional obfuscation can make the task of spotting the injected classes even harder," Zimperium says. "Furthermore, using legit package names defeats naive blacklisting attempts."
In its analysis published in July, Check Point found the Joker developers injected these DEX files into the Android Manifest file using encryption strings. The Android Manifest file acts as a directory that is used in every Android app. This way, the malware stays dormant and hidden until Google approves the app for the store.
In the Zscaler report, the analysts pointed to three methods - direct downloads, one-stage downloads and two-stage downloads - that fraudsters use to download the final payload from the command and control server once the malicious Joker app has been installed. All three methods download the same payload in various stages and avoid the vetting process deployed by Google’s security tools.
While the security features within the Google Play store are supposed to scan and block apps that contain malware, security researchers have found that fraudsters have been getting better at designing fake apps and bypassing protocols to avoid detection.
For example, over the past five years, a sophisticated spyware campaign dubbed "PhantomLance" has been targeting Android users through Trojan-laced apps in the Google Play store that are disguised as various plug-ins, browser cleaners and application updaters, according to the report Kaspersky published in April (see: Spyware Campaign Leverages Apps in Google Play Store).