Security News > 2020 > January > Joker Android Malware Snowballs on Google Play
Google has removed 17,000 Android apps to date from the Play store that have been conduits for the Joker malware - and in an analysis of the code, said that Joker's operators have "At some point used just about every cloaking and obfuscation technique under the sun in an attempt to go undetected."
The internet giant said that having three or more active variants of Joker in circulation at the same time using different approaches or targeting different carriers is the norm; and at peak times of activity, up to 23 different apps from the Joker family have been submitted to Play in one day.
"As the Play Store has introduced new policies and Google Play Protect has scaled defenses, Bread apps were forced to continually iterate to search for gaps," wrote Alec Guertin and Vadim Kotov of the Android Security & Privacy Team, in a recent post.
"Most methods for hiding API usage tend to use Java reflection in some way. In some samples, Bread has simply directly called the Reflect API on strings decrypted at runtime." They added that sometimes a Joker app will use Android's native library to store the strings needed to access the SMS API. On top of all of this, Joker apps have also used several commercially available packers including Qihoo360, AliProtect and SecShell to hide its code; and sometimes it hides in a native library shipped with the APK. The one constant is the operators' penchant for mixing and matching all of these tricks.
In September for instance, Google removed 24 malicious Joker apps - with a total of 472,000 installs - from the Play store, which had the ability to steal SMS messages, contact lists and device information, in addition to signing them up for premium service subscriptions that could quietly drain their wallets.
News URL
https://threatpost.com/joker-androids-malware-ramps-volume/151785/
Related news
- Fake Trading Apps Target Victims Globally via Apple App Store and Google Play (source)
- ‘Pig butchering’ trading apps found on Google Play, App Store (source)
- Google Blocks Unsafe Android App Sideloading in India for Improved Fraud Protection (source)
- Google brings better bricking to Androids, to curtail crims (source)
- TrickMo malware steals Android PINs using fake lock screen (source)
- Over 200 malicious apps on Google Play downloaded millions of times (source)
- Fake Google Meet conference errors push infostealing malware (source)
- How to enable Safe Browsing in Google Chrome on Android (source)
- Russia targets Ukrainian conscripts with Windows, Android malware (source)
- Android malware "FakeCall" now reroutes bank calls to attackers (source)