September was a busy month for malicious Android apps, with dozens from a single malware family alone flooding either Google Play or third-party markets, security company researchers said.

Known as the Joker, this family of malicious apps has been attacking Android users since late 2016 and has recently become one of the most common threats to Android. Once installed, Joker apps secretly subscribe users to expensive subscription services and can also steal SMS messages, contact lists, and device information. Last July, researchers said they found Joker in eleven seemingly legitimate apps that had been downloaded from Play about 500,000 times.

Late last week, researchers at security firm Zscaler said they had found a new batch containing 17 Joker-infected apps with 120,000 downloads. The apps were gradually uploaded to Play over the course of September. Security firm Zimperium reported Monday that the company's researchers found 64 new wildcard variants in September, most or all of which were sown in third-party app stores.

And as ZDNet found, researchers from the security companies Pradeo and Anquanke found more wild card outbreaks this month and in July. Anquanke said it has found more than 13,000 samples since it first came to light in December 2016.

"Joker is one of the best known malware families that continuously targets Android devices," wrote Zscaler researcher Viral Gandhi in last week's post. "Despite the awareness of this particular malware, it finds its way into Google's official application market by applying changes to code, execution methods, or techniques for retrieving payloads."

Digital instinct

One of the keys to Joker's success is the nature of the detour. The apps are imitators of legitimate apps and do not contain any malicious code other than a "dropper" when downloaded from Play or any other market. After a delay of hours or even days, the dropper, which is heavily obfuscated and has few lines of code, downloads a malicious component and places it in the app.

Zimperium provided a flowchart that captures the four pivot points that each wildcard example uses. The malware also uses evasive techniques to disguise download components as harmless applications such as games, wallpapers, messengers, translators and photo editors.


The evasion techniques include encoded strings in the examples where an app is asked to download a Dex. This is a native Android file that contains the APK package, possibly along with other Dexes. The Dexes are disguised as mp3 .css or .json files. To hide further, Joker uses code injection to hide between legitimate third-party packages, such as: B. org.junit.internal, or com.unity3d.player.UnityProvider, which are already installed on the phone.

"This is supposed to make it more difficult for the malware analyst to detect the malicious code, as third-party libraries are typically large in code and the presence of additional obfuscation can make identifying the injected classes even more difficult." The Zimperium researcher Aazim Yaswant wrote. "In addition, using legitimate package names prevents naive [blocklisting] attempts, but our z9 machine learning engine allowed researchers to confidently spot the above injection tricks."

The Zscaler description describes three types of post-download techniques that can be used to bypass Google's app review process: direct downloads, one-step downloads, and two-step downloads. Despite the variations in delivery, the final payload was the same. Once an app has downloaded and activated the final payload, the imitation app can use the user's SMS app to sign up for premium subscriptions.

A Google spokesperson declined to comment other than noting that Zscaler reported that the company removed the apps as soon as they were privately reported.

day after day

With malicious apps infiltrating Play on a regular basis, often weekly, there is currently little evidence that the scourge of malicious Android apps is subsiding. That said, it's up to the individual end-users to stay away from apps like Joker. The best advice is to be extremely conservative about the apps that get installed first. A good guiding principle is to choose apps that serve a real purpose and, if possible, choose developers who are known entities. Installed apps that have not been used in the last month should be removed unless there is a good reason to keep them.

Using an AV app from Malwarebytes, Eset, F-Secure, or another reputable manufacturer is also an option, although these too can have difficulty detecting Joker or other malware.


Please enter your comment!
Please enter your name here