Google removes 17 apps infected with evasive ‘Joker’ malware

Google has removed a further 17 apps embedded with Joker malware after security experts warned of the fleeceware's continued rise in prominence.

The billing-fraud strain of malware was found in six apps marketing themselves as legitimate in early September, accounting for 200,000 installs. Google has now removed a further 17 apps infected with the malware from the Play Store after researchers with Zscaler alerted the company to their presence.

The malware simulates clicks and intercepts SMS messages to trick users into subscribing to unwanted premium services. These strains of malware, known as fleeceware, are generally difficult to detect because they use minimal code.

The 17 Android apps removed from the Play Store, downloaded around 120,000 times in total, includes All Good PDF Scanner, Mint Leaf Message, Unique Keyboard - Fancy Fonts & Free Emoticons, and Tangram App Lock, among others. These malicious apps also included a host of other messaging platforms, scanners and PDF converters, as well as photo editing tools.

Upon identifying these apps, Zscaler decided to establish the variations in payload deployment, as well as how and why Joker remains so evasive.

In a host of Joker variants, the final payload was delivered using a direct URL received from the command and control (C&C) server. The app, in these cases, had the C&C address hidden in the code with string obfuscation.

The infected app would contact the C&C server once the app was installed, which would then respond with the URL of a final payload. The JSON file also contained information related to the class name required to be executed from the final payload. The app, on receiving the JSON configuration, downloads the payload and executes it.

Some apps, alternatively, operated under a one-stage download mechanism, in which the app used an encrypted stager payload URL encoded in the code itself. When infecting a device, the app downloads the stager payload rather than a final payload, which is then tasked with retrieving the final payload and executing it.

The third method observed by researchers involves a complex two-stage download prior to retrieving the payload from the C&C server. This essentially adds an additional step to the previous one-stage download method.

Through all the variations of the method, the Joker payload remained the same throughout, executing functions that ranged from SMS harvesting to wireless application protocol (WAP) billing fraud.

To prevent the chances of any seemingly legitimate apps compromising users’ privacy and security, Zscaler has recommended ensuring that application permissions for accessing SMS messages, call logs, and contacts are restricted. Reading comments or reviews for many apps may also help to prevent inadvertently downloading malicious software.