Malware Joker, which subscribes to Android users with high-quality services without their consent, makes it difficult for Google, as new samples constantly bypass control and end up in the Play Store.
Malware is constantly evolving, and new specimens found in the official Android repository appear to have been specially created to avoid Google’s detection mechanisms .
Also known as Bread, malware is a spyware and premium spyware that can access alerts, read and send SMS . These capabilities are used for invisible victim registration in high quality services .
The Joker avoids the US and Canada
Check Point researchers discovered four new specimens in the Play Store recently in applications with a cumulative installation of over 130,000. The malware was hidden in camera, wallpaper, SMS and photo editing software:
To hide malicious functionality in infected applications, a simple XOR encryption with a static key is applied to related strings that control the presence of an initial payload and, if none, is downloaded from a command and control (C2) server.
The malware does not target devices from the US and Canada, as Check Point discovered a feature that reads operator information specifically to filter those areas.
If the conditions are met, Joker communicates with its C2 server to upload a configuration file containing a URL for another payload that is executed immediately upon download.
The subscription process is invisible to the user, as the URLs for the high-quality services in the configuration file open in a hidden webview.
The Joker developer often adapts the code to remain undetectable. Google says that many of the samples found appear to have been created specifically for distribution through the Play Store, as they did not appear elsewhere.
Since Google began tracking Joker in early 2017, the company has withdrawn about 1,700 infected Play Store apps. But that did not discourage the malware author, who “used almost every technique to prevent detection”.
New Joker samples appear almost daily on Google’s Play Store, says Aviran Hazum, a mobile security researcher at Check Point.
The purpose of the clicker is advertising fraud by mimicking users’ clicks on ads. Mobile ad fraud is a constant challenge these days, as it can take many forms. For this offense, Google announced yesterday that it had withdrawn nearly 600 apps from its official Android store and also banned them from its ad monetization platforms, Google AdMob and Google Ad Manager.
Named Haken, the new malicious code is based on native code and infusion into the Facebook and AdMob libraries and gets configured from a remote server after going through the Google verification process.
The malware was introduced in applications that provide advertising functionality. A sign indicating malicious intent requests rights that the compatible application does not need, such as executing code when the device is started.
Once it has the necessary rights, Haken achieves its goal by uploading a native kagu-lib and registering two service workers.
The native code listed in the Ad-SDK (Software Development Kit) enables the backdoor application process to applications already in the Play Store, allowing Haken to maintain a low profile and generate revenue from fraudulent ad campaigns.
It is not clear how long the malware and the revenue it has accumulated has been active, but the low number of installations suggests that the spread is not large. If they still exist on their devices, users are asked to remove the following applications:
- Kids Coloring – com.faber.kids.coloring
- Compass – com.haken.compass
- qrcode – com.haken.qrcode
- Fruits Coloring Book – com.vimotech.fruits.coloring.book
- Soccer Coloring Book – com.vimotech.soccer.coloring.book
- Fruit Jump Tower – mobi.game.fruit.jump.tower
- Ball Number Shooter – mobi.game.ball.number.shooter
- Inongdan – com.vimotech.inongdan