Google has long been locked in a battle with cybercriminals who create and submit malicious apps to the Play store that somehow sneak past the company’s protections. One especially pervasive and problematic piece of malware is the one dubbed Joker, aka Bread. In the latest round, Google was forced to put the kibosh on 17 malicious apps uploaded in September that tried to infect unsuspecting users with the Joker malware.
In a blog post published on Thursday, security firm Zscaler explained that it discovered and identified the 17 apps and alerted Google, which then removed the offending programs. In total, there were around 120,000 downloads for the identified apps before Google was able to get rid of them, a sizable but relatively small number compared with previous similar incidents.
The 17 apps included the following:
- All Good PDF Scanner
- Mint Leaf Message-Your Private Message
- Unique Keyboard – Fancy Fonts & Free Emoticons
- Tangram App Lock
- Direct Messenger
- Private SMS
- One Sentence Translator – Multifunctional Translator
- Style Photo Collage
- Meticulous Scanner
- Desire Translate
- Talent Photo Editor – Blur focus
- Care Message
- Part Message
- Paper Doc Scanner
- Blue Scanner
- Hummingbird PDF Converter – Photo to PDF
- All Good PDF Scanner
In its post, Zscaler described Joker as spyware that aims to capture SMS messages, contact lists, and device information in addition to silently enrolling the victim in premium wireless application protocol (WAP) services. Joker has been a tough contender for Google in large part because the criminals behind it keep modifying the code, the execution process, and the tactics for delivering the payload.
In previous instances with Joker variants, the final payload was delivered through a direct URL received from the command and control (C&C) server used by the attackers. In this latest episode, the infected Google Play Store apps contained the C&C address hidden in their own code as a way of hiding it.
Some malicious apps contain a stager payload, which retrieves and downloads the final payload URL from the code and then executes it on the infected device. In the latest case, the malicious apps incorporated the stager payload URL directly in their code using encryption or another method to disguise it. The final stage payload then executed the Joker malware.
In some infected Android apps, a two-stager payload is used to download the final payload. In this latest instance, the infected apps used a multilayered approach by downloading the stage one payload, which downloaded the stage two payload, which finally loaded the Joker payload. In this case, the infected apps contacted the C&C server for the stage one payload URL, which was hidden in the response header. This approach also served to obfuscate the true nature and specific URLs of the malicious apps.
Though Google removed the apps in question, the company continues to face a challenge from the Joker malware as it keeps evolving to evade the Google Play Protect security built into the app store. As such, Android owners have to take their own precautions to protect themselves against malware.
“We recommend paying close attention to the permission list in the apps that you install on your Android device,” Zscaler said in its blog post. “Always watch out for the risky permissions related to SMS, call logs, contacts, and more. Reading the comment or reviews on the app page also helps identify compromised apps.”