Researchers at Check Point have found that Joker malware infecting Android phones in a new way. The Joker malware has now evolved to use the app’s manifest file to retrieve a malicious DEX file, and hide it in the Base64 strings. This was used to subscribe to users to premium subscriptions, thus earning money.
Joker Malware Spreading Through Playstore
Joker malware has been persistent in Androids since 2017. This malware (also known as Bread) has been noted by several researchers like Dr. Web, CSIS, Kaspersky, Trend Micro, etc in various ways. Though Google is tightening the Playstore rules regularly, Joker malware is evolving with new techniques every time to bypass those checks.
Now, as per Check Point researchers, Joker malware is seen exploiting a legitimate feature called app’s manifest file, which would store the apps meta details. This was used to load be Base64 encoded DEX file, further, another identified version is obfuscating the malicious DEX file in Base64 strings, thus avoiding any antivirus scans.
After gaining a foothold in the device, it then does what the entire Joker family was doing since 2017 – Subscribing to unwanted services. Joker malware here is using the Notification Listener and dynamic DEX file obtained from the hacker’s C2 server and subscribe to the host (victim) to unknown premium services, thereby earning commissions.
Attacker here has the option for sending a False Status code to end the activity of anything that seemed wrong. Check Point researchers have found 11 apps using this technique and informed Google, which has recently delisted those apps. Joker malware authors are clever enough in infecting Android devices.
They follow techniques like creating fake positive reviews on Playstore to gain the trust of the target, encrypts their malicious payload to avoid being detected, and even versioning, a method where a clean app is sent for review and download for user, and send payloads via later updates. Check for such malicious apps asking for permissions and subscribing to unwanted services regularly.