Updated Joker Malware Returns To Android Apps
The Joker billing fraud malware has returned to Google Play with updated tools to avoid detection. Joker has been around since 2017, disguised within legitimate apps like camera apps, games, messengers, photo editors, translators and wallpapers. Once installed, Joker apps silently simulate clicks and intercept SMS messages to subscribe victims to paid, premium services controlled by the hackers. The apps also steal SMS messages, contact lists and device information. The victims are not aware until the bill arrives.
Joker apps are usually found outside of the official Google Play store, but they've continued to avoid Google Play's protections since 2019. This is mostly because the hackers behind Joker keep making small changes to their attack methodology. Because of this, there are regular waves of Joker infestations inside the official store, including two massive ones last year. According to researchers at Zimperium, more than 1,800 Android applications infected with Joker have been removed from the Google Play store in the last four years.
In the latest shift, 1,000 new apps have been found in under a year. Hackers continue to find new ways to get the malware into both official and unofficial app stores. The apps usually don't stay long but the persistence highlights how mobile malware does not disappear but continues to be modified.
The latest versions of Joker, which was detected in late 2020, are taking advantage of legitimate developer techniques to hide the actual intent of the payload which helps them avoid both device-based security and app store protections. One method is to use Flutter, which is an open-source app development kit designed by Google that allows developers to craft native apps for mobile, web and desktop from a single codebase. The use of Flutter to code mobile applications is a common approach, and one that traditional scanners see as benign. Due to the wide spread use of Flutter, even malicious apps look legitimate.
The apps are popping up in Google Play, unofficial third-party markets, other other sanctioned outlets, such as AppGallery. According to Doctor Web, the apps were downloaded by unwitting users to more than 500,000 devices. Users have to manually clean their devices of the malware. The good news is that it only used for financial gain and is likely temporary. Users who have been subscribed to premium mobile services as a result of this malware can request refunds for the unauthorized services since the affected applications are known. The malicious apps can find their way into the enterprise when an infected device is enrolled in a company's bring-your-own-device program, and then there will be a new threat vector.