Digital attackers uploaded 17 versions of the Joker malware family to Google’s Play Store in September 2020 as part of an ongoing effort to target Android users.

How the Attackers Bypassed Google’s Vetting Process

The Zscaler ThreatLabZ research team found on Sept. 24, 2020, that digital attackers had concealed the Joker malware versions in applications ranging from PDF scanners to Android keyboards and photo collage programs to translators.

In its study of the malicious apps, the firm found that digital attackers used one of three techniques on each occasion to evade detection by Google’s vetting systems.

The first scenario involved the download of the Joker malware payload from a URL sent over by the attackers’ command-and-control (C&C) server. The apps did this by using string obfuscation to conceal the C&C address in its code.

As for the second scenario, the malicious app dispensed with a C&C address and opted for a stager payload URL encoded in its code. The malware downloaded the stager payload in the form of an Android Package or a Dalvik executable file. This stager then retrieved the final payload URL, downloaded the payload and ran it.

For the third and final scenario, the infected app contacted its C&C server to retrieve a stage one payload URL and download the payload. This payload then obtained a stage two payload that functioned exactly as the first. That payload included a hardcoded URL for downloading the final payload.

At that point, the Joker malware got to work. It stole SMS messages and contact lists and signed the victim up for premium wireless application protocol services.

Those apps had garnered about 120,000 downloads at the time Zscaler discovered them.

Zscaler’s researchers notified the Google Android Security team about the malicious apps. Because of this, Google’s personnel removed the apps from the Play Store.

Other Recent Attacks Involving Joker Malware

The malware attack described above wasn’t the first time in 2020 that Joker made headlines. Back in February, Check Point Research found that a few new samples of the spyware and premium dialer family had infiltrated Google’s Play Store. Those samples garnered more than 130,000 downloads at the time they were found. They all appeared on Check Point’s radar at the same time as a new click malware family called Haken.

Just a few months after, Check Point once again detected Joker samples hiding in the Play Store. This time, however, they spotted the malware using an old trick from the PC threat world — concealing a dynamically loaded hex file — to evade Google’s detection. A couple of months later, Pradeo found six more apps infected with the malware. Then, at the end of September, Zimperium reported on the discovery of 64 Joker variants within the span of less than a month.

How to Defend Against Mobile Malware

Organizations can help defend against types of malware like Joker by abiding by mobile security best practices. For instance, they can use their comprehensive vulnerability management programs to keep all mobile devices up to date and to limit app installations to trusted developers on official marketplaces. Security teams can enshrine these practices into their organization’s security policies to augment those measures. They also can use ongoing security awareness training to educate the workforce about the importance of following those guidelines.

Simultaneously, organizations can consider using advanced security solutions that use AI to spot threats that prey upon mobile devices and/or other connected assets in an attempt to infiltrate the corporate network.

More from News

Securing critical infrastructure with the carrot and stick

4 min read - It wasn’t long ago that cybersecurity was a fringe topic of interest. Now, headline-making breaches impact large numbers of everyday citizens. Entire cities find themselves under cyberattack. In a short time, cyber has taken an important place in the national discourse. Today, governments, regulatory agencies and companies must work together to confront this growing threat. So how is the federal government bolstering security for critical infrastructure? It looks like they are using a carrot-and-stick approach. Back in March 2022, the…

650,000 cyber jobs are now vacant: How to tackle the risk

4 min read - How far is the United States behind in filing cybersecurity jobs? As per Rep. Andrew Garbarino, R-N.Y., Chairman of the HHS Cybersecurity and Infrastructure Protection Subcommittee, overseas adversaries have a workforce advantage over FBI cyber personnel of 50 to one. His statements were made during a recent subcommittee hearing titled “Growing the National Cybersecurity Talent Pipeline.” Meanwhile, recent CyberSeek data shows over 650,000 cyber jobs to fill nationwide. Given the rising rate of cyberattacks, these numbers are truly alarming. How…

Will data backups save you from ransomware? Think again

4 min read - Backups are an essential part of any solid anti-ransomware strategy. In fact, research shows that the median recovery cost for ransomware victims that used backups is half the cost incurred by those that paid the ransom. But not all data backup approaches are created equal. A separate report found that in 93% of ransomware incidents, threat actors actively target backup repositories. This results in 75% of victims losing at least some of their backups during the attack, and more than…

Should you worry about state-sponsored attacks? Maybe not.

4 min read - More than ever, state-sponsored cyber threats worry security professionals. In fact, nation-state activity alerts increased against critical infrastructure from 20% to 40% from 2021 to 2022, according to a recent Microsoft Digital Defense Report. With the advent of the hybrid war in Ukraine, nation-state actors are launching increasingly sophisticated attacks. But is this the most prominent danger facing companies today? While nation-state-based attacks cannot be ignored, it looks like insider cyber incidents are far more common. In fact, for the…