Google has removed 17,000 Android apps to date from the Play store that have been conduits for the Joker malware (a.k.a. Bread) – and in an analysis of the code, said that Joker’s operators have “at some point used just about every cloaking and obfuscation technique under the sun in an attempt to go undetected.”
That variety and trial-and-error approach works well for Joker, given the sheer volume of variants and fake apps that are pitted against Play store defenses. The internet giant said that having three or more active variants of Joker in circulation at the same time using different approaches or targeting different carriers is the norm; and at peak times of activity, up to 23 different apps from the Joker family have been submitted to Play in one day. Google said that it detects and removes most of them before downloads occur.
Joker is a billing fraud family of malware that emerged in 2017 but started appearing in earnest in 2019. It advertises itself as a legitimate app, but once installed, carries out either SMS fraud (sending text messages to premium-rate numbers) or WAP billing fraud. The latter, where a user’s mobile account is used to pay for something (the charges show up on a subscriber’s cell phone bill), has become more prevalent for Joker, according to Google. Malware authors use injected clicks, custom HTML parsers and SMS receivers to automate the fraud process without requiring any interaction from the user.
Master of Disguise
While these types of fraud are not exclusive to Joker, the malware’s obfuscation efforts are what sets it apart, according to Google researchers.
“As the Play Store has introduced new policies and Google Play Protect has scaled defenses, Bread apps were forced to continually iterate to search for gaps,” wrote Alec Guertin and Vadim Kotov of the Android Security & Privacy Team, in a recent post. “Many of these samples appear to be designed specifically to attempt to slip into the Play Store undetected and are not seen elsewhere.”
Joker apps have been seen trying to hide strings from analysis engines via several different methods – including standard and custom encryption. Known encryption techniques used by Joker include using AES, Blowfish and DES as well as combinations of these to encrypt their strings; on the custom front, it has used basic XOR encryption, nested XOR and custom key-derivation methods.
“Some variants have gone so far as to use a different key for the strings of each class,” the researchers said.
Those encrypted strings however can tip off analysts that they’re trying to hide something, so Joker also used unencrypted strings that are hidden in other ways – such as breaking them up into pieces to prevent automated string-matching by antivirus and other security tools.
“Substrings are sometimes scattered throughout the code, retrieved from static variables and method calls. Various versions may also change the index of the split,” according to the analysis.
Similarly, some Joker apps have used delimiters, which are short, constant strings of characters that are inserted at strategic points to break up keywords. At runtime, the delimiter is removed before using the string.
Joker malware also goes to lengths to hide its activity from analysis. For instance, billing fraud requires certain permissions or actions, such as disabling Wi-Fi and accessing SMS, which are carried out by APIs. Because the usage of these APIs can be an indicator of bad app behavior, that use is often flagged for inspection by security solutions.
“Given that there are a limited number of behaviors required to identify billing fraud, Bread apps have had to try a wide variety of techniques to mask usage of these APIs,” the researchers said. “Most methods for hiding API usage tend to use Java reflection in some way. In some samples, Bread has simply directly called the Reflect API on strings decrypted at runtime.” They added that sometimes a Joker app will use Android’s native library to store the strings needed to access the SMS API.
On top of all of this, Joker apps have also used several commercially available packers including Qihoo360, AliProtect and SecShell to hide its code; and sometimes it hides in a native library shipped with the APK.
The one constant is the operators’ penchant for mixing and matching all of these tricks. “Within each variant, the malicious code present in each sample may look nearly identical with only one evasion technique changed. Sample 1 may use AES-encrypted strings with reflection, while Sample 2 (submitted on the same day) will use the same code but with plaintext strings,” the Google researchers said.
Other Analysis Notes
In addition to its obfuscation efforts, Joker is notable in some of its features as well. For instance, it checks which carrier the device is connected to and fetches a coordinating configuration from the command-and-control server (C2). This will tell it which functions to use (i.e. “toggle Wi-Fi state” or “read/modify SMS inbox” – and in some cases it’s give the ability to solve basic CAPTCHAs, which are the visual puzzles used by websites to weed out bot activity.
“First, the app creates a JavaScript function to call a Java method, getImageBase64, exposed to WebView using addJavascriptInterface,” explained the Google researchers. “The value used to replace GET_IMG_OBJECT comes from the JSON configuration. The app then uses JavaScript injection to create a new script in the carrier’s web page to run the new function. The base64-encoded image is then uploaded to an image recognition service. If the text is retrieved successfully, the app uses JavaScript injection again to submit the HTML form with the CAPTCHA answer.”
It should be noted that Joker apps vary in terms of how they swindle users into downloading them; sometimes the apps have fake reviews; and sometimes the attackers use versioning, where an initial download functions as advertised, with the malicious activity inserted later via an app update. That said, Joker apps also frequently contain no functionality beyond the billing process or simply clone content from other popular apps, Google noted.
Users should beware: In addition to billing fraud, some Joker apps have spyware functionality. In September for instance, Google removed 24 malicious Joker apps – with a total of 472,000 installs – from the Play store, which had the ability to steal SMS messages, contact lists and device information, in addition to signing them up for premium service subscriptions that could quietly drain their wallets.
Concerned about mobile security? Check out our free Threatpost webinar, Top 8 Best Practices for Mobile App Security, on Jan. 22 at 2 p.m. ET. Poorly secured apps can lead to malware, data breaches and legal/regulatory trouble. Join our experts to discuss the secrets of building a secure mobile strategy, one app at a time. Click here to register.
