Check Point researchers have identified malware that is disguised as a legitimate looking Android application and is used to capture user's information. Known as ‘Joker', the billing fraud malware is specifically designed to evade Google Play Store protections.
First tracked in 2017, the malware is a spyware and premium dialer that can access notifications, read and send SMS texts. These capabilities are used to invisibly subscribe victims to premium services.
Google has described this malware operation as one of the most persistent threats it has dealt with during the last few years, stating that it has “used just about every cloaking and obfuscation technique under the sun in an attempt to go undetected.
Recently, Check Point researcher, Aviran Hazum, identified a new method the Joker malware has been leveraging. The new method sees the Joker malware hiding malicious code inside what's called the 'Android Manifest' file of a legitimate application.
Every application must have an Android Manifest file in its root directory. The manifest file provides essential information about an app, such as name, icon and permissions, to the Android system, which the system must have before it can run any of the app's code.
This way, the malware does not need to access a C-C server, which is a computer controlled by a cybercriminal used to send commands to systems compromised by malware, to download the payload, the portion of the malware which performs the malicious action.
Check Point researchers disclosed its findings to Google and all reported applications (11 apps) were removed from the Play Store by April 30, 2020.
Hazum outlined Joker's new method in three steps.
Build payload first: Joker builds its payload beforehand, inserting it into the Android Manifest File.
Skip payload loading: During evaluation time, Joker does not even try to load the malicious payload, which makes it a lot easier to bypass Google Play Store protections.
Malware spreads: After the evaluation period, after it's been approved, the campaign starts to operate, malicious payload decided and loaded.
Check Point manager of Mobile Research Aviran Hazum says, “Joker adapted. We found it hiding in the ‘essential information' file every Android application is required to have. Our latest findings indicate that Google Play Store protections are not enough.
“We were able to detect numerous cases of Joker uploads on a weekly basis to Google Play, all of which were downloaded by unsuspecting users.
“The Joker malware is tricky to detect, despite Google's investment in adding Play Store protections. Although Google removed the malicious apps from the Play Store, we can fully expect Joker to adapt again. Everyone should take the time to understand what Joker is and how it hurts everyday people.
Check Point researchers have provided specific steps to help people stay protected.
The researchers say if someone suspects they have one of these infected apps on their device they should uninstall the application, check all mobile and credit-card bills to see if subscriptions have been signed up for and unsubscribe if possible, and finally install a security solution to prevent future infections.