Joker malware keeps hiding and spreading via Google Play Store

Android malware still evades Google Play Store Protection and delivers threat that is tracked since 2017

Joker malware creators released adapted versionAndroid applications with Joker malware slip into the Play Store undetected. Joker malware – Android virus, once again reported spreading around via infected applications.[1] The malicious actor manages to slip these programs onto the Google Play Store – official source of Android applications.[2] This is not the new issue, malware is tracked since 2017, and initially was designed to perform SMS fraud by infecting devices with malware, also known as Bread. The issue comes to the light after particular Google Play protection updates:

The Joker malware is tricky to detect, despite Google's investment in adding Play Store protections. Although Google removed the malicious apps from the Play Store, we can fully expect Joker to adapt again.

These recent versions of the threat got analyzed, and investigations revealed that new tactics for introduced. Google revealed new Play Store policies and restricted the use of SEND_SMS permissions, so protection of the Google Play Store got increased. However, the newest Joker trojan not relies on mobile billing fraud methods,[3] so victims get tricked into subscribing to content or even buying particular products by using funds in their mobile phone bill.[4]

A newly adapted version of old Joker malware

At the start of 2020, at least 1,700 applications got removed from the Play Store due to infection of the Joker malware.[5] The activities of this malware, also known as Bread, got tracked since 2017, so Google Play Protect policies also got renewed and advanced.

However, Joker can successfully slip into the Play Store and infect Android devices by binding the payload as dex file hidden in the form of Base64 encoded strings. Thi method includes the benign applications' AndroidManifest that is used to provide Android build tools, the OS, Google Play Store with crucial information about those programs.

Joker malware can avoid detection and ensure that there is no need to connect to a server to download particular malicious components on the devices. In the research that the CheckPoint team released, at least 11 new applications were revealed. Those programs were removed from the marketplace.

The infection method comes in three stages

Joker adapted, and later findings revealed a list of malware sample hashes and Android package names of applications infected by the threat. There are more variants of the virus that use multiple approaches and target users with different carriers.

It is expected because malicious factors are forced to change tactics since Play Store patches some flaws in their security and protection systems, introduce new policies.

They have at some point used just about every cloaking and obfuscation technique under the sun in an attempt to go undetected.

As experts note the infection method now used by most of those Joker malware samples use three steps of the infiltration:

  • Joker builds the payload and then inserts that into the Andriod Manifest File.
  • Malware does not try to load the malicious payload, so it can bypass the Google Play Store Protections.
  • Virus then can spread after the evaluation period when it is been approved. Joker malware campaign starts and can operate.
About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions