Joker variant uses old trick to hit Google Play

Read time 3min 00sec

Researchers at Check Point have recently discovered a new variant of the Joker Dropper and Premium Dialer spyware in Google Play, hiding in seemingly legitimate applications.

The Israeli security company found that this version of the spyware had the ability to download additional malware to a device, which then subscribes the user to premium services without their knowledge or consent.

The researchers, Aviran Hazum, Bogdan Melnykov, and Israel Wernik, say Joker is one of the most prominent types of malware for the Android platform. It keeps worming its way into Google’s official application market as a result of small changes to its code, which enables it to get past the Play Store’s security and vetting barriers.

“This time, however, the malicious actor behind Joker adopted an old technique from the conventional PC threat landscape and used it in the mobile app world to avoid detection by Google,” they said.

To be able to subscribe app users to premium services without their knowledge or consent, Joker employed two main components – the Notification Listener service that is part of the original application, and a dynamic dex file loaded from the command and control (C&C) server to perform the registration of the user to the services.

In an attempt to obfuscate Joker’s fingerprint, the author behind the spyware hid the dynamically loaded dex file from sight while still ensuring it had the ability to load – a technique well-known to developers of malware for Windows PCs.

“This new variant now hides the malicious dex file inside the application as Base64 encoded strings, ready to be decoded and loaded.”

How it works

Originally, the code that was responsible for communicating with the C&C and downloading the dynamic dex file was located inside the main classes.dex file, but now the functionality of the original classes.dex file includes loading the new payload.

Joker triggers the malicious flow from the Activity by creating a new object that communicates with the C&C to check if the campaign was still active.After confirmation, it can then prepare the payload module to be loaded.

While conducting the research, Check Point also detected an “in-between” variant, that made use of the technique of hiding the .dex file as Base64 strings. However, instead of adding the strings to the Manifest file, the strings were located inside an internal class of the main application. In this case, all that was needed for the malicious code to run was to read the strings, decode them from Base64, and load it with reflection.

The new payload contained code that the original Joker had in its main dex file – the registration of the NotificationListener service, subscribing the user to premium services, and more. After this change, however, all that the attacker needed to be able to hide the entire functionality was to set the C&C server to return 'false' on the status code, and none of the malicious activity would occur.

Prevent future infections

Anyone suspecting they may have an infected app on their device is advised to uninstall the application in question from their device and to check their mobile and credit-card bills to see if they have been signed up for any subscriptions.

Login with