We have repeatedly talked about the Joker malware (or Bread in Google terminology), first discovered by information security specialists in 2017. Initially, the malware was designed to implement SMS fraud, but since then much has changed, especially after the introduction of a new policy restricting the use of SEND_SMS, as well as increasing the protection of Google Play Protect.
Because of this, new versions of Joker used a different type of fraud: they tricked their victims into subscribing to various types of content or buying it, paying from a mobile phone bill. To accomplish this without user interaction, Malvari operators used click injections, custom HTML parsers, and SMS receivers.
Over time, Joker has evolved so much that it has used almost all the well-known hiding and obfuscation techniques, and at the beginning of this year Google Play began to find more and more Joker options, some of the components of which were moved to the native code.
Now experts from Check Point reportedthat again found Joker in the official application catalog. This time, the malware hid the malicious code (the malicious Base64 encoded DEX executable) inside manifest file in legitimate applications. The manifest file is stored in the root folder of the application and contains important information that the Android system needs, including information about the name, icon and necessary rights. Only after receiving data from the manifest, the system can execute any application code.
This time, the Joker attack wished in three stages. The first step is preparing the payload. Joker operators injected malicious code into the manifest file in advance, but the direct payload was not immediately downloaded. So, during the checks, Joker did not even try to load the malicious payload, which helped the Malvari operators once again deceive the Google Play Store protection tools. Only after the security mechanisms in the Google Play Store approved the application, the payload was determined and downloaded directly to the victim’s device.
As a result, a new variation of Joker could download additional malware to the device that secretly signed the victim to paid services. In the official Google directory, 11 such infected applications were found that were removed from the Play Store until April 30, 2020.
“Joker is constantly changing, adapting to new conditions. We found that it is hiding in a file with the necessary information, the file that is contained in each Android application, ”says Aviran Hazum, mobile research specialist at Check Point Software Technologies. – Our latest research shows that Google Play Store protection is not enough. We weekly spotted numerous instances of Joker uploading to Google Play, each of which was produced by unsuspecting users. Joker malware is hard to detect despite Google’s investment in Play Store security. Although Google has now removed the malicious applications from the Play Store, it can be assumed that Joker will return again. It is desirable for each user to know about this program and understand how it is possible to suffer from it. ”