A new variant of Joker malware on Google’s Play Store has infected 11 applications that have now been removed from the app store.
The new version of Joker malware had made slight changes to its original code, and managed to sneak into the now removed apps, according to Check Point, a security solutions company, whose researchers discovered the threat.
“Hiding in seemingly legitimate applications, we found that this updated version of Joker was able to download additional malware to the device, which subscribes the user to premium services without their knowledge or consent,” a Check Point research report titled New Joker variant hits Google Play with an old trick said.
Joker exploits notification listener service built-in to apps along with a dynamic dex file loaded from a command-and-control server (C&C) to execute the user registration process.
Taking a leaf out of the Windows malware developer’s playbook, the new version of Joker manages to load the dynamic dex file even when it is masked, reducing its digital fingerprint. Then, it decodes and loads the dex file as it remains concealed within the application in the form of Base64 encoded strings.
The original classes.dex file confirms the presence of an active campaign after communicating with the C&C server, and loads the new payload unit. Joker’s new version succeeds in hiding the entire functionality by configuring the C&C server to return “false” on the status code, preventing detection of the malicious activity, according to the report.
A malware like this could put a user and their data at risk. It compromises the integrity of a device, and could allow an attacker to remotely access and exploit an infected device. In the process it may be used to transmit a user’s personal data or credentials without proper disclosure and permission.
The Check Point report has listed out the package names of the 11 infected apps, and suggested users to uninstall those applications, and then, install a security solution. It also suggested users to check for any subscriptions in the credit card and mobile bills.