The Joker mobile trojan is back on Google Play, with an uptick in malicious Android applications that hide the billing-fraud malware, researchers said. It’s also using new approaches to skirt past Google’s app-vetting process.
Joker has been around since 2017, disguising itself within common, legitimate apps like camera apps, games, messengers, photo editors, translators and wallpapers. Once installed, Joker apps silently simulate clicks and intercept SMS messages to subscribe victims to unwanted, paid premium services controlled by the attackers – a type of billing fraud that researchers categorize as “fleeceware.” The apps also steal SMS messages, contact lists and device information. Often, the victim is none the wiser until the mobile bill arrives.
Malicious Joker apps are commonly found outside of the official Google Play store, but they’ve continued to skirt Google Play’s protections since 2019 too. That’s mostly because the malware’s authors keep making small changes to their attack methodology. As a result, there have been periodic waves of Joker infestations inside the official store, including two massive onslaughts last year. According to researchers at Zimperium, more than 1,800 Android applications infected with Joker have been removed from the Google Play store in the last four years.
In the latest wave, at least 1,000 new samples have been detected just since September, many of them finding their way into the official marketplace, researchers said.
“Malicious actors have routinely found new and unique ways to get this malware into both official and unofficial app stores,” according to a Zimperium analysis, posted Tuesday. “While they are never long for life in these repositories, the persistence highlights how mobile malware, just like traditional endpoint malware, does not disappear but continues to be modified and advanced in a constant cat-and-mouse game.”
Legitimate Developer Techniques
The developers of the latest versions of Joker, which began emerging in late 2020, are taking advantage of legitimate developer techniques to “try and hide the actual intent of the payload from traditional, legacy-based mobile security toolsets,” according to Zimperium — which helps them evade both device-based security and app store protections.
One way they’re doing that is to use Flutter, which is an open-source app development kit designed by Google that allows developers to craft native apps for mobile, web and desktop from a single codebase. The use of Flutter to code mobile applications is a common approach, and one that traditional scanners see as benign.
“Due to the commonality of Flutter, even malicious application code will look legitimate and clean, whereas many scanners are looking for disjointed code with errors or improper assemblies,” explained the researchers.
Other New Tricks in the Bag
According to the analysis, another anti-detection technique lately adopted by Joker enthusiasts is the practice of embedding the payload as a .DEX file that can be obfuscated in different ways, such as being encrypted with a number, or hidden inside an image using steganography. Sometimes in the latter case, the image is hosted in legitimate cloud repositories or on a remote command-and-control (C2) server, researchers said.
Other new behavior includes using URL shorteners to hide the C2 addresses, and using a combination of native libraries to decrypt an offline payload.
Researchers said that the new samples also take extra precautions to remain hidden after a trojanized app is installed.
“After successful installation, the application infected with Joker will run a scan using Google Play APIs to check the latest version of the app in Google Play Store,” they explained. “If there is no answer, the malware remains silent since it can be running on a dynamic analysis emulator. But if the version found in the store is older than the current version, the local malware payload is executed, infecting the mobile device. If the version in the store is newer than the current one, then the C2s are contacted to download an updated version of the payload.”
No Joke: Consumers and Enterprises Alike at Risk
The apps are cropping up not only in Google Play and unofficial third-party markets, but also in other sanctioned outlets, some for the first time. For instance, AppGallery – the official app store for Huawei Android – was recently found to be infested with apps that contained the Joker trojan. According to Doctor Web back in April, the apps were downloaded by unwitting users to more than 538,000 devices.
“Sadly, the Joker malware is no joke,” Saryu Nayyar, CEO at Gurucul, said via email. “And even more depressing, no dark knight is going to ride in to save users from these malicious apps. Users have to manually clean their devices of this pesky malware. The good news is that it appears the only damage is financial, and likely temporary. Users who have been subscribed to premium mobile services as a result of this malware can request refunds for said services since the affected applications are known.”
Josh Bohls, CEO and founder at Inkscreen, noted earlier in the year that Joker is also a problem for companies, not just individuals.
“These malicious applications can find their way into the enterprise when an infected device is enrolled in a company’s bring-your-own-device (BYOD) program, and suddenly you have a new threat vector,” he said via email. “We hope to see better app review processes by Apple and Google, and that consumer and business buyers continue to educate themselves on how to select appropriate mobile applications.”
Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.