Pierluigi Paganini September 08, 2019

Security experts at Google have removed from Google Play 24 apps because they were infected with a new spyware tracked as “the Joker.”

Google has removed from Google Play 24 apps because they were infected with a new spyware tracked as “the Joker.”

The spyware is able to steal SMS messages, contact lists and device information along with to sign victims up for premium service subscriptions.

“Over the past couple of weeks, we have been observing a new Trojan on GooglePlay. So far, we have detected it in 24 apps with over 472,000+ installs in total.” reads an analysis of the malware published by researcher Aleksejs Kuprins. “The malware — going by the name “the Joker” (which was borrowed from one of the C&C domain names) — delivers a second stage component, which silently simulates the interaction with advertisement websites, steals the victim’s SMS messages, the contact list and device info.”

The 24 malicious apps removed from the official store had a total of 472,000 installs.

The Joker spyware infected users users in 37 countries, including Australia, Austria, Belgium, Brazil, China, Cyprus, Egypt, France, Germany, Ghana, Greece, Honduras, India, Indonesia, Ireland, Italy, Kuwait, Malaysia, Myanmar, Netherlands, Norway, Poland, Portugal, Qatar, Republic of Argentina, Serbia, Singapore, Slovenia, Spain, Sweden, Switzerland, Thailand, Turkey, Ukraine, United Arab Emirates, United Kingdom and United States. The post published by the expert includes a list of the malicious apps and associated package names.

The Joker spyware checks for SIM cards associated with one of the above countries. Most of the apps target the EU and Asian countries, the experts noticed that both C2 panel code and some of the bot’s code include comments that are written in Chinese.

The malicious code implements notably evasion technique to bypass Google Play’s checks, the expert explained that the malware was hiding malicious code within the advertisement frameworks.

“This malware kit stands out as a small and a silent one. It is using as little Java code as possible and thus generates as little footprint as possible.” continues the expert.

Once the apps are installed, they would display a “splash” screen showing the app’s logo, while performing various initialization processes in the background.

Besides loading the second stage DEX file, the malicious code also receives dynamic code and commands over HTTP, then it runs that code via JavaScript-to-Java callbacks. This approach allows the Joker spyware to make it hard static analysis.

“After the initialization is done, the malware will download an obfuscated and AES-encrypted configuration from the payload distribution C&C server. Joker composes the AES key for the configuration string decryption using yet another string scheme, which would concatenate the app’s package name with MCC code string and shuffle the symbols around in a specific way.” states the analysis.

“The configuration string above contains the necessary information about the second stage code — the core component of the Joker. Being split by a 3-symbol delimiter, the configuration string above contains (ordered): 
1. The URL for the Joker Core DEX file — this file is obfuscated
2. The de-obfuscation “keys” — indexes of the obfuscated read buffer
3. The initialization class name — the class, which implements the initialization method
4. The initialization method name — which method to call upon loading
5. The C&C URL
6. The campaign tag “

The spyware also automatically signs up victims for premium service subscriptions for various advertisements, the malware is able to automate the necessary interaction with the premium offer’s webpage, including intercepting the SMS containing the confirmation code.

Unfortunately, the number of malicious apps distributed through the official Google Play Store continues to grow.

At the end of August, security experts from Kaspersky spotted a malware in the free version of the popular PDF creator application CamScanner app that was available on the Google Play.

Recently other cases of infected apps distributed via Google Play Store made the headlines. Last week, ESET experts discovered that an Android app infected with AhMyth open-source RAT has bypassed the security of Google Play twice over two weeks.

In March, researchers at Check Point have uncovered a sophisticated malware campaign spreading the SimBad agent through the official Google Play Store. According to experts, more than 150 million users were already impacted at the time of the discovery.

In February, security researcher Lukas Stefanko from ESET discovered the first Android cryptocurrency clipboard hijacker impersonating MetaMask on the official Google Play store.

Kuprins recommends Google Play users to be vigilant on the permissions requested by any app they want to install.

“We recommend paying close attention to the permission list in the apps that you install on your Android device,” he concludes. “Obviously, there usually isn’t a clear description of why a certain app needs a particular permission, which means that whenever you are downloading any app — you are still relying on your gut feeling to some extent.”

Pierluigi Paganini

(SecurityAffairs – Google Play, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]