Google removed 1.7K+ Joker Malware infected apps from its Play Store

Google revealed it successfully removed more than 1,700 apps from the Play Store over the past three years that had been infected with the Joker malware.

Google provided technical details of its activity against the Joker malware (aka Bread) operation during the last few years.

The Joker malware is a malicious code camouflaged as a system app and allows attackers to perform a broad range of malicious operations, including disable the Google Play Protect service, install malicious apps, generate fake reviews, and show ads.

The spyware is able to steal SMS messages, contact lists and device information along with to sign victims up for premium service subscriptions.

In October, Google has removed from Google Play 24 apps because they were infected with Joker malware, the 24 malicious apps had a total of 472,000 installs.

“Over the past couple of weeks, we have been observing a new Trojan on GooglePlay. So far, we have detected it in 24 apps with over 472,000+ installs in total.” reads an analysis of the malware published by researcher Aleksejs Kuprins. “The malware — going by the name “the Joker” (which was borrowed from one of the C&C domain names) — delivers a second stage component, which silently simulates the interaction with advertisement websites, steals the victim’s SMS messages, the contact list and device info.”

The Joker spyware infected users in 37 countries, including Australia, Austria, Belgium, Brazil, China, Cyprus, Egypt, France, Germany, Ghana, Greece, Honduras, India, Indonesia, Ireland, Italy, Kuwait, Malaysia, Myanmar, Netherlands, Norway, Poland, Portugal, Qatar, Republic of Argentina, Serbia, Singapore, Slovenia, Spain, Sweden, Switzerland, Thailand, Turkey, Ukraine, United Arab Emirates, United Kingdom, and United States. The post published by the expert includes a list of malicious apps and associated package names.

The Joker spyware checks for SIM cards associated with one of the above countries. Most of the apps target the EU and Asian countries, the experts noticed that both C2 panel code and some of the bot’s code include comments that are written in Chinese.

The malicious code implements notably evasion technique to bypass Google Play’s checks, the expert explained that the malware was hiding malicious code within the advertisement frameworks.

Once the apps are installed, they would display a “splash” screen showing the app’s logo, while performing various initialization processes in the background.

Besides loading the second stage DEX file, the malicious code also receives dynamic code and commands over HTTP, then it runs that code via JavaScript-to-Java callbacks. This approach allows the Joker spyware to make it hard static analysis.

The spyware also automatically signs up victims for premium service subscriptions for various advertisements, the malware is able to automate the necessary interaction with the premium offer’s webpage, including intercepting the SMS containing the confirmation code.

“Sheer volume appears to be the preferred approach for Bread developers,” states Google. “At different times, we have seen three or more active variants using different approaches or targeting different carriers. [..] At peak times of activity, we have seen up to 23 different apps from this family submitted to Play in one day.”

The Joker malware apps were originally designed to perform SMS fraud, but after the introduction of new Play policies, attackers have largely abandoned this for WAP billing.

“Bread apps typically fall into two categories: SMS fraud (older versions) and toll fraud (newer versions). Both of these types of fraud take advantage of mobile billing techniques involving the user’s carrier.” reads the post published by Google.

The newer versions of the Joker malware were involved in toll fraud that consist of tricking victims into subscribing to or purchasing various types of content via their mobile phone bill.

“Both of the billing methods detailed above [SMS fraud (older versions) and toll fraud (newer versions)] provide device verification, but not user verification.” continues the report. “The carrier can determine that the request originates from the user’s device, but does not require any interaction from the user that cannot be automated. Malware authors use injected clicks, custom HTML parsers and SMS receivers to automate the billing process without requiring any interaction from the user.”

Technical details on the Joker malware are available in full report published by Google.

“This family showcases the amount of resources that malware authors now have to expend,” concludes the experts.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Joker Malware, cybercrime)

[adrotate banner=”5″]

[adrotate banner=”13″]