Joker Trojans Flood the Android Ecosystem

joker malware apps google Play

September saw dozens of Joker malware variants hitting Google Play and third-party app stores.

More variants of the Joker Android malware are cropping up in Google Play as well as third-party app stores, in a trend that researchers say points to a relentless targeting of the Android mobile platform.

Researchers at Zscaler have found 17 different samples of Joker being regularly uploaded to Google Play during September. Collectively, these have accounted for 120,000 downloads, the firm said.

Meanwhile, Zimperium analysts said that they’re finding malicious applications on user devices every day, mostly arriving through third-party stores, sideloaded applications and malicious websites that trick users into downloading and installing apps. In all, they’ve identified 64 new variants of Joker during September alone.

The Joker malware has been around since 2017 – it’s a mobile trojan that carries out a type of billing fraud that researchers categorize the malware as “fleeceware”. The Joker apps advertise themselves as legitimate apps (like games, wallpapers, messengers, translators and photo editors). Once installed, they simulate clicks and intercept SMS messages to subscribe victims to unwanted, paid premium services. The apps also steal SMS messages, contact lists and device information.

Malicious Joker apps are commonly found outside of the official Google Play store, as Zimperium noted, but Joker apps have continued to skirt Google Play’s protections since 2019 too. That’s mostly because the malware’s author keeps making small changes to its attack methodology.

“[Joker] keeps finding its way into Google’s official application market by employing changes in its code, execution methods or payload-retrieving techniques,” said researchers with Zscaler, in a recent blog. The 17 apps they flagged in Google Play have been removed, they added.

New Variants: Technical Details

Joker’s main functionality is carried out by loading a DEX file, according to a technical analysis from Zimperium. DEX files are executable files saved in a format that contains compiled code written for Android. Multiple DEX files are typically zipped into a single .APK package, which serves as a final Android application file for most programs.

In Joker’s case, an application, once installed, connects to a URL to receive a payload DEX file, which is “almost the same among all the Jokers, except that some use a POST request while others use a GET request,” according to Zimperium.

“The Joker trojans pose a higher risk to Android users as the user interface is designed to look very normal and covertly perform the malicious activity,” according to Zimperium researchers. “The trojan displays the screen…with a progress bar and ‘Loading data…’ but is meanwhile connecting to the first-stage URL and downloading the payload.”

Joker apps also use code-injection techniques to hide among commonly used package names like org.junit.internal, com.google.android.gms.dynamite or com.unity3d.player.UnityProvider, Zimperium analysts noted.

“The purpose of this is to make it harder for the malware analyst to spot the malicious code, as third-party libraries usually contain a lot of code and the presence of additional obfuscation can make the task of spotting the injected classes even harder, they explained in a blog posting on Monday. “Furthermore, using legit package names defeats naïve blacklisting attempts.”

Recent variants exhibited some new tricks, such as the use of AES encryption, and code injection into Android’s “content provider” function.

“In an attempt to hide the interesting strings related to the maliciousness of Jokers, the trojan retrieves the encrypted strings from resources (/resources/values/strings.xml) which is decrypted using ‘AES/ECB,'” said Zimperium researchers. “The decryption mechanism in Jokers is usually a plain AES or DES encryption that has evolved in an attempt to not raise suspicion with the encrypted strings by obfuscating them.”

Meanwhile, the new variants also insert code into functions of the content provider, which is an Android component used to handle databases and information through functions like query() and delete(), researchers said.

In all, it’s clear that Joker continues to be a scourge for Android users.

“Every day, Zimperium’s researchers find malware installed on user devices,” the firm concluded. “Malware that is not supposed to be there, but that is. The samples reported in this blog post are just a subset of them – the tip of the iceberg.”

Suggested articles