sb-eu logo
Story image

Check Point catches new form of Joker malware targeting Google Play Store

Check Point researchers have identified malware that is disguised as a legitimate looking Android application and is used to capture user’s information. Known as ‘Joker’, the billing fraud malware is specifically designed to evade Google Play Store protections.

First tracked in 2017, the malware is a spyware and premium dialer that can access notifications, read and send SMS texts. These capabilities are used to invisibly subscribe victims to premium services.

Google has described this malware operation as one of the most persistent threats it has dealt with during the last few years, stating that it has “used just about every cloaking and obfuscation technique under the sun in an attempt to go undetected.”

Recently, Check Point researcher, Aviran Hazum, identified a new method the Joker malware has been leveraging. The new method sees the Joker malware hiding malicious code inside what’s called the 'Android Manifest' file of a legitimate application.

Every application must have an Android Manifest file in its root directory. The manifest file provides essential information about an app, such as name, icon and permissions, to the Android system, which the system must have before it can run any of the app's code.

This way, the malware does not need to access a C&C server, which is a computer controlled by a cybercriminal used to send commands to systems compromised by malware, to download the payload, the portion of the malware which performs the malicious action.

Check Point researchers disclosed its findings to Google and all reported applications (11 apps) were removed from the Play Store by April 30, 2020.

Hazum outlined Joker’s new method in three steps.

Build payload first: Joker builds its payload beforehand, inserting it into the Android Manifest File.

Skip payload loading: During evaluation time, Joker does not even try to load the malicious payload, which makes it a lot easier to bypass Google Play Store protections.

Malware spreads: After the evaluation period, after it’s been approved, the campaign starts to operate, malicious payload decided and loaded.

Check Point manager of Mobile Research Aviran Hazum says, “Joker adapted. We found it hiding in the ‘essential information’ file every Android application is required to have. Our latest findings indicate that Google Play Store protections are not enough.

“We were able to detect numerous cases of Joker uploads on a weekly basis to Google Play, all of which were downloaded by unsuspecting users.

“The Joker malware is tricky to detect, despite Google’s investment in adding Play Store protections. Although Google removed the malicious apps from the Play Store, we can fully expect Joker to adapt again. Everyone should take the time to understand what Joker is and how it hurts everyday people.”

Check Point researchers have provided specific steps to help people stay protected.

The researchers say if someone suspects they have one of these infected apps on their device they should uninstall the application, check all mobile and credit-card bills to see if subscriptions have been signed up for and unsubscribe if possible, and finally install a security solution to prevent future infections.

Story image
Video: 10 Minute IT Jams - protecting data with user behaviour analytics
In this video, Forcepoint senior sales engineer and solutions architect Matthew Bant discusses the company's DLP solution, the importance of integrating compliance into security solutions, and why cybersecurity strategies should take a more people-based approach.More
Story image
Gartner reveals the top strategic tech trends for 2021
“CIOs are striving to adapt to changing conditions to compose the future business - this requires the organisational plasticity to form and reform dynamically. Gartner’s top strategic technology trends for 2021 enable that plasticity.”More
Story image
Zoom to begin rolling out end-to-end encryption
Available starting from next week, it represents the first phase out of four of the company’s greater E2EE offering, which was announced in May following backlash that the company was lax on its security and privacy.More
Story image
Secureworks: Remote working exposes new security vulnerabilities
New vulnerabilities have been exposed as IT teams across the world respond to the ongoing COVID-19 pandemic.More
Story image
Interview: How cyber hygiene supports security culture - ThreatQuotient
We spoke with ThreatQuotient’s APJC regional director Anthony Stitt to dig deeper into cyber hygiene, security culture, threat intelligence, and the tools that support them.More
Story image
Unbound seeks channel growth with new partner programme
Those who sign up will have access to Unbound’s security solutions, sales and partner enablement, deal registration and partner portal.More