Quote:A new variant of the infamous Joker malware has once again made it onto Google Play, with Google removing 11 malicious Android applications from its official app marketplace, researchers disclosed Thursday.
Malicious apps spreading the Joker have continued to skirt Google Play’s protections since 2019, because the malware’s author kept making small changes to its code. However, researchers say that Joker is now raising the bar, using a tactic – one that’s well known but not yet been used by Joker before now – to hide malicious code inside legitimate applications, allowing it to get through Google Play’s app vetting process.
“Joker adapted,” said Aviran Hazum, manager of Mobile Research with Check Point Research, in a Thursday analysis. “The Joker malware is tricky to detect, despite Google’s investment in adding Play Store protections. Although Google removed the malicious apps from the Play Store, we can fully expect Joker to adapt again. Everyone should take the time to understand what Joker is and how it hurts everyday people.”
Joker is a billing fraud family of malware that first emerged in 2017, but started appearing in earnest in 2019. It advertises itself as a legitimate app, but once installed, it infects victims post-download to steal their SMS messages, contact lists and device information; as well as also stealthily signing them up for premium service subscriptions that could quietly drain their wallets.
The most recent variant of the malware uses a tactic where it hides malicious code inside what’s called the “Android Manifest” file of a legitimate application. Every application has an Android Manifest file in its root directory, which provides essential information about an app, such as its name, icon and permissions, to the Android system.
Joker has been building its payload before inserting it into the “Android Manifest” file via a dex file, hidden in the form of Base64 encoded strings. This payload is hidden during Google Play’s evaluation of the app, making it easier to skirt by the app vetting process. It’s not until after the app has been approved in the evaluation process that the campaign starts to operate, with the malicious payload decoded and loaded onto the compromised device. It’s important to note that this trick is well-known to developers of malware for Windows PCs, said researchers.
Read more: https://threatpost.com/joker-android-mal...ay/157307/
![[-]](https://www.geeks.fyi/images/collapse.png)
