Google has removed from Google Play 24 apps because they were infected with a new spyware tracked as “the Joker.”
The spyware is able to steal SMS messages, contact lists and device information along with to sign victims up for premium service subscriptions.
“Over the past couple of weeks, we have been observing a new Trojan on
The 24 malicious apps removed from the official store had a total of 472,000 installs.
The Joker spyware infected users users in 37 countries, including Australia, Austria, Belgium, Brazil, China, Cyprus, Egypt, France, Germany, Ghana, Greece, Honduras, India, Indonesia, Ireland, Italy, Kuwait, Malaysia, Myanmar, Netherlands, Norway, Poland, Portugal, Qatar, Republic of Argentina, Serbia, Singapore, Slovenia, Spain, Sweden, Switzerland, Thailand, Turkey, Ukraine, United Arab Emirates, United Kingdom and United States. The post published by the expert includes a list of the malicious apps and associated package names.
The Joker spyware checks for SIM cards associated with one of the above countries. Most of the apps target the EU and Asian countries, the experts noticed that both C2 panel code and some of the bot’s code include comments that are written in Chinese.
The malicious code implements notably evasion technique to bypass Google Play’s checks, the expert explained that the malware was hiding malicious code within the advertisement frameworks.
“This malware kit stands out as a small and a silent one. It is using as little Java code as possible and thus generates as little footprint as possible.” continues the expert.
Once the apps are installed, they would display a “splash” screen showing the app’s logo, while performing various initialization processes in the background.
“After the initialization is done, the malware will download an obfuscated and AES-encrypted configuration from the payload distribution C&C server. Joker composes the AES key for the configuration string decryption using yet another string scheme, which would concatenate the app’s package name with
“The configuration string above contains the necessary information about the second stage code — the core component of the Joker. Being split by a 3-symbol delimiter, the configuration string above contains (ordered):
1. The URL for the Joker Core DEX file — this file is obfuscated
2. The de-obfuscation “keys” — indexes of the obfuscated read buffer
3. The initialization class name — the class, which implements the initialization method
4. The initialization method name — which method to call upon loading
5. The C&C URL
6. The campaign tag “
The spyware also automatically signs up victims for premium service subscriptions for various advertisements, the malware is able to automate the necessary interaction with the premium offer’s webpage, including intercepting the SMS containing the
Unfortunately, the number of malicious apps distributed through the official Google Play Store continues to grow.
At the end of August, security experts from Kaspersky spotted a malware in the free version of the popular PDF creator application CamScanner app that was available on the Google Play.
Recently other cases of infected apps distributed via Google Play Store made the headlines. Last week, ESET experts discovered that an Android app infected with AhMyth open-source RAT has bypassed the security of Google Play twice over two weeks.
In March, researchers at Check Point have uncovered a sophisticated malware campaign spreading the SimBad agent through the official Google Play Store. According to experts, more than 150 million users were already impacted at the time of the discovery.
In February, security researcher Lukas Stefanko from ESET discovered the first Android cryptocurrency clipboard hijacker impersonating MetaMask on the official Google Play store.
Kuprins recommends Google Play users to be vigilant on the permissions requested by any app they want to install.
“We recommend paying close attention to the permission list in the apps that you install on your Android device,” he concludes. “Obviously, there usually isn’t a clear description of why a certain app needs a particular
|[adrotate banner=”9″]||[adrotate banner=”12″]|
(SecurityAffairs – Google Play, hacking)