Pierluigi Paganini February 22, 2020

The infamous Joker malware has found a way to bypass the security checks to be published in the official Play Store, new clicker was found by experts.

The fight to the Joker malware (aka Bread) begun in September 2019 when security experts at Google removed from the official Play Store 24 apps because they were infected with a new spyware tracked as “the Joker.”

The Joker malware is a malicious code camouflaged as a system app and allows attackers to perform a broad range of malicious operations, including disable the Google Play Protect service, install malicious apps, generate fake reviews, and show ads.

The spyware is able to steal SMS messages, contact lists, and device information and to sign victims up for premium service subscriptions.

In January, Google revealed it successfully removed more than 1,700 apps from the Play Store over the past three years that had been infected with the Joker malware.

Most recent versions of the Joker malware were involved in toll fraud that consists of tricking victims into subscribing to or purchasing various types of content via their mobile phone bill.

Unfortunately, the malware is under constant development, and new samples that have been found in the official Play Store were specifically designed to avoid Google’s store checks.

Experts from Check Point researchers have recently discovered a new clicker malware family, along with some fresh samples of the Joker spyware in Google Play. A clicker is used by crooks in ad fraud to mimic user clicks on advertisements.

The new samples in the Play Store found by the experts are four that were downloaded over 130,000 times.

The following tainted apps were camera, wallpaper, SMS, and photo editing software:

• com.app.reyflow.phote
• com.race.mely.wpaper
• com.landscape.camera.plus
• com.vailsmsplus

The authors of the Joker malware attempt to hide its functionality by modifying the used strings, the recently discovered samples utilized a simple XOR cipher with a static key.

CheckPoint experts noticed that the malware does not target devices from the U.S. and Canada, to do this, it also implements a function that reads the operator information specifically to filter out these regions.

“While avoiding the US and Canada, this Joker campaign proves the quick turn-around of experienced malicious actors. Almost every week since its launch, Joker managed to get into the official store and get downloaded into users’ devices.” reads the analysis published by CheckPoint.

Once the malware has checked the region of the target device, it will contact the C2 server to load a configuration file containing a URL for another payload that is downloaded and executed.

The subscription process is totally invisible to the user because the URLs for the premium services are opened in a hidden webview.

“With access to the notification listener, and the ability to send SMS, the payload listens for incoming SMS and extract the premium service confirmation code (2FA) and sends it to the “Offer Page”, to subscribe the user to that premium service.” continues the report. “But how does the malware subscribe the user to those services in the first place, you might ask. Inside the configuration received from the C&C server, a list of URLs to contact (“Offer pages”) is processed and opened in a hidden webview.”

Check Point researchers discovered a new clicker malware family, tracked as Haken, that was hidden in eight apps on the Play Store that collectively have more than 50,000 installations.

“The Haken clicker utilizes native code and injection to Facebook and AdMob libraries while communicating with a remote server to get the configuration.” continues the analysis.

“The first entry point of the Haken clicker is the receiver called ‘BaseReceiver’. This receiver asks for permissions that the backdoored app (in this case, a compass application that actually provides a compass service) does not require to function, for instance,BOOT_COMPLETED which let the backdoored application to run code at device start-up.”

Usually, the tainted apps were asking for permissions that the legitimate app does not need.

Haken leverages these permissions to load a native library (‘kagu-lib‘) and registering two workers and a timer.

“One worker communicates with the C&C server to download a new configuration and process it, while the other is triggered by the timer, checks for requirements and injects code into the Ad-related Activity classes of well-known Ad-SDK’s like Google’s AdMob and Facebook” states Check Point.

The report includes IoCs and the list of malicious apps, urging users to remove them from their devices.

Check Point already reported to Google the 12 malicious apps it has spotted on the Play Store and the company immediately removed them.

Pierluigi Paganini

(SecurityAffairs – Joker malware, Android)

[adrotate banner=”5″]

[adrotate banner=”13″]