Security News > 2020 > January > Joker Android Malware Snowballs on Google Play

Google has removed 17,000 Android apps to date from the Play store that have been conduits for the Joker malware - and in an analysis of the code, said that Joker's operators have "At some point used just about every cloaking and obfuscation technique under the sun in an attempt to go undetected."

The internet giant said that having three or more active variants of Joker in circulation at the same time using different approaches or targeting different carriers is the norm; and at peak times of activity, up to 23 different apps from the Joker family have been submitted to Play in one day.

"As the Play Store has introduced new policies and Google Play Protect has scaled defenses, Bread apps were forced to continually iterate to search for gaps," wrote Alec Guertin and Vadim Kotov of the Android Security & Privacy Team, in a recent post.

"Most methods for hiding API usage tend to use Java reflection in some way. In some samples, Bread has simply directly called the Reflect API on strings decrypted at runtime." They added that sometimes a Joker app will use Android's native library to store the strings needed to access the SMS API. On top of all of this, Joker apps have also used several commercially available packers including Qihoo360, AliProtect and SecShell to hide its code; and sometimes it hides in a native library shipped with the APK. The one constant is the operators' penchant for mixing and matching all of these tricks.

In September for instance, Google removed 24 malicious Joker apps - with a total of 472,000 installs - from the Play store, which had the ability to steal SMS messages, contact lists and device information, in addition to signing them up for premium service subscriptions that could quietly drain their wallets.

News URL

https://threatpost.com/joker-androids-malware-ramps-volume/151785/