Security News > 2020 > January > Joker Android Malware Snowballs on Google Play
Google has removed 17,000 Android apps to date from the Play store that have been conduits for the Joker malware - and in an analysis of the code, said that Joker's operators have "At some point used just about every cloaking and obfuscation technique under the sun in an attempt to go undetected."
The internet giant said that having three or more active variants of Joker in circulation at the same time using different approaches or targeting different carriers is the norm; and at peak times of activity, up to 23 different apps from the Joker family have been submitted to Play in one day.
"As the Play Store has introduced new policies and Google Play Protect has scaled defenses, Bread apps were forced to continually iterate to search for gaps," wrote Alec Guertin and Vadim Kotov of the Android Security & Privacy Team, in a recent post.
"Most methods for hiding API usage tend to use Java reflection in some way. In some samples, Bread has simply directly called the Reflect API on strings decrypted at runtime." They added that sometimes a Joker app will use Android's native library to store the strings needed to access the SMS API. On top of all of this, Joker apps have also used several commercially available packers including Qihoo360, AliProtect and SecShell to hide its code; and sometimes it hides in a native library shipped with the APK. The one constant is the operators' penchant for mixing and matching all of these tricks.
In September for instance, Google removed 24 malicious Joker apps - with a total of 472,000 installs - from the Play store, which had the ability to steal SMS messages, contact lists and device information, in addition to signing them up for premium service subscriptions that could quietly drain their wallets.
News URL
https://threatpost.com/joker-androids-malware-ramps-volume/151785/
Related news
- Android malware 'Necro' infects 11 million devices via Google Play (source)
- New Octo Android malware version impersonates NordVPN, Google Chrome (source)
- Fake WalletConnect app on Google Play steals Android users’ crypto (source)
- Beware: New Vo1d Malware Infects 1.3 Million Android-based TV Boxes Worldwide (source)
- New Android Malware 'Ajina.Banker' Steals Financial Data and Bypasses 2FA via Telegram (source)
- New Vo1d malware infects 1.3 million Android TV streaming boxes (source)
- New Vo1d malware infects 1.3 million Android streaming boxes (source)
- Malware locks browser in kiosk mode to steal Google credentials (source)
- Necro malware continues to haunt side-loaders of dodgy Android mods (source)
- Necro Android Malware Found in Popular Camera and Browser Apps on Play Store (source)