Threat Watch

Joker Android Malware Update

Bleeping Computer and Check Point researchers reported that the threat actors behind the Joker Android malware have once again been successful in slipping financial fraud malware into apps on the Google Play Store without being detected during Google’s app review process. The Joker malware is now being used for a type of mobile billing fraud that subscribes its victims to premium services without their knowledge or consent. The new variant slipped past the Play Store’s security system by hiding its malicious payload as a dex file hidden in the form of Base64 encoded strings within the AndroidManifest files of seemingly benign apps. The AndroidManifest XML file is used to provide Android build tools, the Android OS, and the Google Play Store with essential info about the apps. This allows the malware to avoid detection while being analyzed during the submission process and to eliminate the need to connect to a command and control server. So far, 11 new apps have been reported to Google as infected with Joker and Google is removing the apps when reported.

ANALYST NOTES

Since Joker has the capability to sign the victim up for premium services without consent, Android users should be extremely vigilant in checking their phone bill for suspicious activity. If a user believes that an app has been downloaded that contains Joker, the app should be deleted immediately and reported to Google. This type of malware is a financial fraud problem more than a threat to the confidentiality of data, but it is important to note that if employees are allowed to use personal mobile devices for business purposes, older models of Android phones may have unpatched vulnerabilities that would allow a rogue app to completely take over the device and spy on email, text messages and Multi-Factor Authentication (MFA) codes. It is important to only use mobile devices that are up to date with security patches and still supported by the manufacturer.

To read more, please see: https://www.bleepingcomputer.com/news/security/joker-android-malware-keeps-evading-google-play-store-defenses/