Hackers and Google Play that has been brought up in a tension dance in the past decade. The hackers inserted the malware into the Android app store owned by Google. Google threw out and developed protections to prevent it from happening again. Then the cleaners find a new opening and do it all over again. This two step has been played out again, this time with a malware family known as Joker, which has entered Play since at least 2017.
Joker is malicious code embedded in seemingly legitimate applications. It often waits hours or days after the app is installed to run in an attempt to avoid Google’s automatic malware detection. On Thursday, researchers with the security company Check Point said that the Joker has struck again, this time in 11 applications that seem to be worth playing about 500,000 times. Once activated, the malware allows applications to subsidize users to premium services.
The new variant finds a new trick to go undetected—it hides its malicious payload in what is known appear, the file Google needs every application to have in its root directory. Google’s intention is for the XML file to provide more information by making permissions, tags, and other information about the application easier to find.
Joker developers find a way to use exposure to their advantage. Their applications include arbitrary code for legitimate things such as writing text or displaying images in expected sections of the installation file. Then they hide the malicious code in the metadata of the show.
Developers add two layers of stealth. First, the malicious code is stored in a base of 64 non-human-readable sentences. Second, while Google is evaluating the applications, the malicious payload will be paused. Only after the app is approved will the Joker code get loaded and run. Google removed the apps after Check Point reported them.
In January, Google made a publication description of Bread—Another name for the Joker—that mentions the many ways he can pass away. The post says that Play Protect—Google’s automated scanning service—has detected and removed 1,700 unique apps from the Play Store before they were ever downloaded. Checkpoint’s discovery of a new batch of apps downloaded half a million times shows the limits of Play Protection.
“Our latest findings show that Google Play store protections are insufficient,” Aviran Hazum, Check Point’s manager of mobile research, wrote in an email. “We are able to see many cases of Joker downloads on a weekly basis to Google Play, all of which are downloaded by unsuspecting users. Joker malware is tricky to detect, despite Google’s investment in adding Play Store protections. Although Google removed the malicious apps from the Play Store, we can fully expect the Joker to be normal again. “
To avoid detection, earlier Joker variants often received a malicious payload—in the form of a dynamic dex file—from the command and control server after the app was already installed. As Google’s defenses have improved, that method has become less effective. The developers’ solution was to save a dex file—in the form of 64 pure sentences—into the display. To be activated, the payload only needs confirmation from the control server that the campaign is running. Check Point also finds another Joker variant that stores 64 pure threads in the inner class of the main application.
11 Check Point applications found in:
- com.cheery.message.send (two different events)
Anyone who has installed one of these apps should check their billing statements for unknown charges.
By now, most readers know the cool Android app security tips. Most importantly, users should install apps only when they provide a real benefit or are really important. When possible, users should favor applications from known developers, or at least those who have websites or other history that indicate that they are not a service of fly-by-night. People should periodically check what applications are installed and remove any that are not in use.