Joker Android malware is back: updated and even more dangerous

Mobile billing-fraud based malware is using new tactics to breach devices security

New applications with Android malware were found: updates make the threat more dangerous

The Joker, a billing fraud malware came back to the Google Play platform and with new updates is even more threatening than before as malware is using new tactics to go through Google's app-vetting process. People behind Joker's malware are using legitimate developer techniques as they try and hide the actual intent of the payload from traditional, legacy-based mobile security toolsets. This approach helps them evade security: both device-based and app store protections^[1].

Another way hackers go unnoticed could be linked to the usage of anti-detection techniques. This is a practice of embedding the payload as a .DEX file that can be obfuscated in different ways, such as being encrypted with a number or hidden inside an image using steganography.

Researches notice that new updates of the malware include using URL shorteners to hide the C2 addresses and using a combination of native libraries to decrypt an offline payload. These new samples also take extra precautions to remain hidden after a trojanized app is installed.

Mobile malware, as its name suggests is malicious software that specifically targets the operating systems on mobile phones, however, that doesn't mean that the looming threat is somewhat small^[2]. In this case, such a threat shouldn't be taken lightly too, as there is a huge potential that major enterprises could be infected if the device is enrolled in a company’s bring-your-own-device (BYOD) program.

The infection could steal contact information and SMS messages

The Joker Malware was first detected in 2017 by CSIS Security Group malware analyst Aleksejs Kuprins and it's not a joke. Malware can access your SMS messages, and additional device info, which can give them access to everything that you save on mobile, including banking details, and other personal data^[3].

Malware could lead to significant automated interaction problems as it could silently sign the victim for paid service. This works by automating the necessary interaction with the premium offer’s webpage, entering the operator’s offer code, then waiting for an SMS message with a confirmation number and extracting it using regular expressions^[4].

The Joker malware only attacks targeted countries. Most of the infected apps contain a list of Mobile Country Codes (MCC) and the victim has to be using a SIM card from one of these countries in order to receive the second-stage payload. The vast majority of the discovered apps target the EU and Asian countries.

Android malware is getting out of hand

The Joker apps are usually downloaded outside of the official Google Play store, however, on certain occasions, not even the official platform is safe from malicious malware. More than 1,800 Android applications infected with Joker have been removed from the Google Play store in the last four years period. Among the most infected apps were Auxiliary Message, Fast Magic SMS, Free CamScanner, Super Message, Element Scanner, Go Messages, Travel Wallpapers, and Super SMS^[5].

However, it's not the only Joker malware that threatens our smartphone's security. FakeDolphin is a malicious program that gives Dolphin browser as the alternative to your default browser, most commonly Google Chrome. Dolphin automatically sign-up users for its services without their permission^[6].

GinMaster today comprises 6% of the total malware attacks on Android. After entering into the device, the GinMaster installs its root shell deep into the device partition to remain undetected. Malware could be used for stealing purposes or remotely controlling the device, spying, and more. The list of Android malware apps is long, as of 2021, there are at least 25 known malicious apps.