A new spyware has been making the rounds in Android apps on Google Play, infecting victims post-download to steal their SMS messages, contact lists and device information. In addition to stealing victims’ information, the malware also stealthily signs them up for premium service subscriptions that could quietly drain their wallets.
The malware, dubbed “the Joker” after one of its command-and-control (C2) domain names, has been seen over the past few weeks in 24 malicious apps – with a total of 472,000 installs – on the official Android app marketplace, warn researchers. A Google spokesperson told Threatpost that the apps have since been removed from Google Play.
“The described trojan employs notably stealthy tactics to perform quite malicious activities on Google Play, while hiding within the advertisement frameworks and not exposing too much of its malicious code out in the open,” said researcher Aleksejs Kuprins, in an analysis of the malware posted this week. “This malware kit stands out as a small and a silent one. It is using as little Java code as possible and thus generates as little footprint as possible.”
A list of the malicious apps (with their package names) can be found here, and include apps such as “Ignite Clean,” “Leaf Face Scanner” and “Soby Camera.”
Android Spy that signs you for SMS premium subscription (€6,71 per week) found in 24 apps on Google Play with 472,000+ installs
-campaign started in June 2019
-targets 37 countries
-can steal victim SMS, contact list + perform AdFraud
Found by @s_metankahttps://t.co/A3Z4LGtSuG pic.twitter.com/puBzOys691— Lukas Stefanko (@LukasStefanko) September 4, 2019
The trojan, first spotted in June 2019, is hidden in the advertisement frameworks utilized by the 24 apps, which aggregate and serve in-app ads. After the apps are installed, they would show a “splash” screen, which would display the app logo, to throw off victims while performing various malicious processes in the background.
Behind the scenes, the app loads a second-stage Dalvik Executable file (DEX), which is a code file for the Android operating system. The file in turn drops the payload, which includes capabilities to snap up SMS messages, contact lists and device information from the victim’s handset.
Making matters worse, the malware automatically signs up victims for premium service subscriptions for various advertisements. “For example, in Denmark, Joker can silently sign the victim up for a 50 DKK/week service (roughly ~6,71 EUR),” said Kuprins. “This strategy works by automating the necessary interaction with the premium offer’s webpage, entering the operator’s offer code, then waiting for a SMS message with a confirmation code and extracting it using regular expressions.”
As a means for anti-detection, the malware also receives dynamic code and commands over HTTP and runs that code via JavaScript-to-Java callbacks: “Such an approach provides an extra layer of protection against static analysis, since a lot of instructions in this case are not hard-coded into the malicious app on Google Play,” said Kuprins – and since they aren’t hard-coded, it makes is more difficult for researchers to analyze them.
The malware targets users in 37 countries, including China, France, Germany, U.S. and the U.K., using a list of country codes. If the victim has a SIM card from one of these countries, the malware will execute the second-stage payload.
“The majority of the discovered apps target the EU and Asian countries, however, some apps allow for any country to join,” said Kuprins. “The [user interface] of C2 panel and some of the bot’s code comments are written in Chinese, which could be a hint in terms of geographical attribution.”
Joker is only the latest malicious app with spyware capabilities to be discovered on Google’s official app marketplace. In August, a music-streaming app offered on Google Play, harboring spyware that stole victims’ contacts, files and SMS messages, made its way onto the official Android app marketplace not once, but twice.
Earlier in 2019, Google Play removed least 85 fake apps harboring adware, disguised as game, TV and remote-control simulator apps. Once downloaded, the fake apps hide themselves on the victim’s device and continued to show a full-screen ad every 15 minutes. Last year, Google removed 22 malicious adware apps ranging from flashlights, call recorders to Wi-Fi signal boosters that had been downloaded up to 7.5 million times from the Google Play marketplace. And, an Android app booby-trapped with malware was recently taken down from Google Play in November — after being available for download for almost a year.
That’s despite efforts by Google to bolster app security and privacy for Google Play, with the launch of new bug bounty incentives and through other attempts.
Kuprins for his part urged Google Play visitors to be wary of the permissions requested by any app.
“We recommend paying close attention to the permission list in the apps that you install on your Android device,” he said. “Obviously, there usually isn’t a clear description of why a certain app needs a particular permission, which means that whenever you are downloading any app — you are still relying on your gut feeling to some extent.”