More Joker malware apps chucked off Google Play Store

Infamous Joker billing fraud malware continues to sneak past Google’s security controls

Google has removed 11 malicious apps infected with the infamous Joker billing fraud Malware from the Google Play Android app store following a tip-off from malware experts at Check Point.

Joker was first identified and tracked three years ago and is described by Google as one of the most persistent threats it has had to deal with since 2017. Its coders have used “just about every cloaking and obfuscation technique under the sun” to try to throw it off the scent.

Joker is a combination spyware and premium dialler app that hides inside legitimate-looking apps, for example apparently innocuous wallpaper downloads.

However, once installed on its victim’s device, it can access notifications, read and send SMS texts. It uses these capabilities to subscribe victims to premium rate services.

According to Check Point’s Aviran Hazum, who has been on its trail for some time, Joker has recently had an update and now deploys a new method whereby it hides malicious code inside the Android Manifest file of a genuine app.

The Android Manifest file contains essential information about the app, such as its name, icon and permissions – information that it must provide to the target device’s Android system before it can run any of its code.

By doing this, said Hazum, Joker does not need to access a command and control (C2) server in order to download its malicious payload, because the payload is now prebuilt and ready to go. This has the effect of making it much easier for Joker to slip unnoticed past the Google Play Store’s protections.

“Joker adapted,” said Hazum. “We found it hiding in the “essential information” file every Android application is required to have. Our latest findings indicate that Google Play Store protections are not enough. We were able to detect numerous cases of Joker uploads on a weekly basis to Google Play, all of which were downloaded by unsuspecting users.

“The Joker malware is tricky to detect, despite Google’s investment in adding Play Store protections. Although Google removed the malicious apps from the Play Store, we can fully expect Joker to adapt again. Everyone should take the time to understand what Joker is and how it hurts everyday people.”

Hazum advised Android users what to do if they feel they may have an app infected with Joker on their device. Firstly, uninstall the app immediately, before checking mobile and credit card bills to see if you have been signed up for any subscriptions you do not recognise, and be prepared to cancel and/or dispute these. If wanted, it may also be advisable to install a mobile security service on the device to guard against future infections – multiple services are available.

Check Point disclosed the existence of the 11 compromised apps to Google through its disclosure programme, and they were removed by 30 April 2020.

Read more about Android security

Read more on Hackers and cybercrime prevention