“Joker”—the malware that signs you up for pricey services—floods Android markets

September has been a busy month for malicious Android apps, with dozens of them from a single malware household alone flooding both Google Play or third-party markets, researchers from safety firms stated.

Often called Joker, this household of malicious apps has been attacking Android customers since late 2016 and extra not too long ago has change into some of the widespread Android threats. As soon as put in, Joker apps secretly subscribe customers to dear subscription providers and may steal SMS messages, contact lists, and machine data. Final July, researchers stated they discovered Joker lurking in 11 seemingly reputable apps downloaded from Play about 500,000 occasions.

Late final week, researchers from safety agency Zscaler stated they discovered a brand new batch comprising 17 Joker-tainted apps with 120,000 downloads. The apps have been uploaded to Play step by step over the course of September. Safety agency Zimperium, in the meantime, reported on Monday that firm researchers discovered 64 new Joker variants in September, most or all of which have been seeded in third-party app shops.

And as ZDNet famous, researchers from safety corporations Pradeo and Anquanke discovered extra Joker outbreaks this month and in July respectively. Anquanke stated it had discovered greater than 13,000 samples because it first got here to mild in December 2016.

“Joker is likely one of the most outstanding malware households that frequently targets Android gadgets,” Zscaler researcher Viral Gandhi wrote in final week’s submit. “Regardless of consciousness of this specific malware, it retains discovering its approach into Google’s official utility market by using adjustments in its code, execution strategies, or payload-retrieving strategies.”

Digital sleight of hand

One of many keys to Joker’s success is its roundabout approach of assault. The apps are knockoffs of reputable apps and, when downloaded from Play or a distinct market, include no malicious code aside from a “dropper.” After a delay of hours and even days, the dropper, which is closely obfuscated and comprises only a few strains of code, downloads a malicious element and drops it into the app.

Zimperium supplied a movement chart that captures the 4 pivot factors every Joker pattern makes use of. The malware additionally employs evasion strategies to disguise obtain parts as benign functions like video games, wallpapers, messengers, translators, and photograph editors.


The evasion strategies embody encoded strings contained in the samples the place an app is to obtain a dex, which is an Android-native file that includes the APK bundle, probably together with different dexes. The dexes are disguised as mp3 .css, or .json recordsdata. To additional cover, Joker makes use of code injection to cover amongst reputable third-party packages—reminiscent of org.junit.inner, com.google.android.gms.dynamite, or com.unity3d.participant.UnityProvider—already put in on the cellphone.

“The aim of that is to make it more durable for the malware analyst to identify the malicious code, as third-party libraries normally include a number of code and the presence of further obfuscation could make the duty of recognizing the injected lessons even more durable,” Zimperium researcher Aazim Yaswant wrote. “Moreover, utilizing legit bundle names defeats naïve [blocklisting] makes an attempt, however our z9 machine-learning engine enabled the researchers to securely detect the aforementioned injection methods.”

The Zscaler writeup particulars three kinds of post-download strategies to bypass Google’s app-vetting course of: direct downloads, one-stage downloads, and two-stage downloads. Regardless of the supply variations, the ultimate payload was the identical. As soon as an app has downloaded and activated the ultimate payload, the knock-off app has the flexibility to make use of the person’s SMS app to enroll in premium subscriptions.

A Google spokesman declined to remark aside from to notice that Zscaler reported that the corporate eliminated the apps as soon as they have been privately reported.

Day after day

With malicious apps infiltrating Play on a daily, usually weekly, foundation, there’s at the moment little indication the malicious Android app scourge shall be abated. Meaning it’s as much as particular person finish customers to keep away from apps like Joker. The very best recommendation is to be extraordinarily conservative within the apps that get put in within the first place. A very good guideline is to decide on apps that serve a real objective and, when attainable, select builders who’re identified entities. Put in apps that haven’t been used up to now month needs to be eliminated until there’s an excellent cause to maintain them round.

Utilizing an AV app from Malwarebytes, Eset, F-Safe, or one other respected maker can also be an choice, though they, too, can have problem detecting Joker or different malware.


Please enter your comment!
Please enter your name here