sb-eu logo
Story image

Check Point catches new form of Joker malware targeting Google Play Store

Check Point researchers have identified malware that is disguised as a legitimate looking Android application and is used to capture user’s information. Known as ‘Joker’, the billing fraud malware is specifically designed to evade Google Play Store protections.

First tracked in 2017, the malware is a spyware and premium dialer that can access notifications, read and send SMS texts. These capabilities are used to invisibly subscribe victims to premium services.

Google has described this malware operation as one of the most persistent threats it has dealt with during the last few years, stating that it has “used just about every cloaking and obfuscation technique under the sun in an attempt to go undetected.”

Recently, Check Point researcher, Aviran Hazum, identified a new method the Joker malware has been leveraging. The new method sees the Joker malware hiding malicious code inside what’s called the 'Android Manifest' file of a legitimate application.

Every application must have an Android Manifest file in its root directory. The manifest file provides essential information about an app, such as name, icon and permissions, to the Android system, which the system must have before it can run any of the app's code.

This way, the malware does not need to access a C&C server, which is a computer controlled by a cybercriminal used to send commands to systems compromised by malware, to download the payload, the portion of the malware which performs the malicious action.

Check Point researchers disclosed its findings to Google and all reported applications (11 apps) were removed from the Play Store by April 30, 2020.

Hazum outlined Joker’s new method in three steps.

Build payload first: Joker builds its payload beforehand, inserting it into the Android Manifest File.

Skip payload loading: During evaluation time, Joker does not even try to load the malicious payload, which makes it a lot easier to bypass Google Play Store protections.

Malware spreads: After the evaluation period, after it’s been approved, the campaign starts to operate, malicious payload decided and loaded.

Check Point manager of Mobile Research Aviran Hazum says, “Joker adapted. We found it hiding in the ‘essential information’ file every Android application is required to have. Our latest findings indicate that Google Play Store protections are not enough.

“We were able to detect numerous cases of Joker uploads on a weekly basis to Google Play, all of which were downloaded by unsuspecting users.

“The Joker malware is tricky to detect, despite Google’s investment in adding Play Store protections. Although Google removed the malicious apps from the Play Store, we can fully expect Joker to adapt again. Everyone should take the time to understand what Joker is and how it hurts everyday people.”

Check Point researchers have provided specific steps to help people stay protected.

The researchers say if someone suspects they have one of these infected apps on their device they should uninstall the application, check all mobile and credit-card bills to see if subscriptions have been signed up for and unsubscribe if possible, and finally install a security solution to prevent future infections.

Story image
AWS launches fully-managed fraud detection service
Businesses lose billions of dollars to online fraud every year, however businesses respond by investing in cumbersome fraud management solutions that often rely on hand-coded rules and are difficult to keep up to date.More
Story image
Just 6,000 accounts responsible for over 100,000 email attacks - report
Barracuda has today released a report detailing how 6,170 malicious accounts that use Gmail, AOL, and other email services were responsible for more than 100,000 business email compromise (BEC) attacks on nearly 6,600 organisations. More
Story image
Global spending on cybersecurity to grow by almost 6%
Even if the global economy worsens and IT budgets suffer, the cybersecurity market will still grow by at least 2.5%, according to a new report by Canalys.More
Story image
Cloud breaches set to increase in velocity and scale - Accurics
“While the adoption of cloud native infrastructure such as containers, serverless, and servicemesh is fuelling innovation, misconfigurations are becoming commonplace and creating serious risk exposure for organisations."More
Story image
Forescout and ServiceNow advance tech partnership to protect critical infrastructure
Forescout and ServiceNow have announced they are advancing their partnership for enhanced operational technology (OT) and industrial IoT capabilities, with an aim of helping organisations to protect critical infrastructure from cyber threats.More
Story image
Forescout and Arista Networks embark on new Zero Trust security partnership venture
Forescout and Arista Networks have come together to deliver Zero Trust security and greater device visibility and enforcement across heterogeneous networks.More