Contents:
Dubbed “the malware that signs you up for pricey services”, Joker has been flooding Android markets for the last few years, generally infecting apps on Google’s Play Store. Back in April, however, the malware also occurred on Huawei’s platform, infecting more than 500,000 users.
No Laughing Matter
Dating back to 2017, Joker hides within legitimate apps such as camera apps, games, messengers, photo editors, translators, and wallpapers. Once installed, Joker apps silently simulate clicks and intercept SMS messages to subscribe victims to unwanted, paid premium services controlled by the attackers – a type of billing fraud that researchers call “fleeceware”.
To clarify, a fleeceware refers to a mobile app that comes with excessive subscription fees. For instance, most apps provide you with a short free trial to test the product before deciding upon a monthly or yearly subscription. Fleeceware applications on the other hand take advantage of users who are not familiar with how subscriptions work on iOS or Android devices and charge higher fees.
The Joker apps also steal SMS messages, contact lists, and device information. In most cases, the victim is unaware until the mobile bill arrives.
According to Zimperium researchers, over 1,800 Android Joker-infected applications have been removed from the Google Play store in the last four years, with at least 1,000 new samples detected just since September.
(…) Malicious actors have routinely found new and unique ways to get this malware into both official and unofficial app stores. While they are never long for life in these repositories, the persistence highlights how mobile malware, just like traditional endpoint malware, does not disappear but continues to be modified and advanced in a constant cat and mouse game.
Changes Since September 2020
The threat actors behind the new version of Joker are taking advantage of legitimate developer techniques to try and hide the actual intent of the payload from traditional, legacy-based mobile security toolsets. According to the researchers, they are starting by using the common framework Flutter to code the application in a way that is commonly seen by traditional scanners. Due to Flutter’s commonality, even malicious app code will look legitimate and clean, whereas many scanners are looking for disjointed code with errors or improper assemblies.
What’s more, the cybercriminals are embedding Joker as a payload that can be encrypted in either a .dex file xored or with a number, or through the same .dex file as before, but hidden inside an image using steganography.
After successful installation, the application infected with Joker will run a scan using Google Play APIs to check the latest version of the app in Google Play Store. If there is no answer, the malware remains silent since it can be running on a dynamic analysis emulator. But if the version found in the store is older than the current version, the local malware payload is executed, infecting the mobile device. If the version in the store is newer than the current one, then the command and control servers are contacted to download an updated version of the payload.
Joker’s new version also includes URL shorteners, checking the current time against a hardcoded launch-time, image infected using steganography on legit cloud file hosting services, and a combination of native libraries to decrypt the offline payload from the APK’s assets or connect to C&C for the payload.