The Joker is Back and Worse Than Ever

 The Android threat aptly named Joker is back again, and this time it packs an even more potent punch and is upgraded to evade detection more efficiently.

What is Going On

Threatpost reported this week that the mobile banking trojan, nicknamed Joker, is back on the Google Play store and racking up victims quickly.

Older versions of Joker were disguised as legitimate apps like games, messengers, camera apps, wallpaper, translators, and photo editors. Once installed, the Joker malware copies SMS messages, spies on user interaction, and subscribes users to ‘unwanted, paid premium services controlled by the attackers – a type of billing fraud that researchers categorize as “fleeceware.”.’ Additionally, Threatpost warns that “The apps also steal SMS messages, contact lists, and device information. Often, the victim is none the wiser until the mobile bill arrives.”

Joker apps are commonly found on freeware websites and other malicious sites. However, since 2019, Joker has also been found on the Google Play store piggybacked onto other apps. Google Play’s store scanners haven’t eliminated them because attackers use slight changes to the code and tactics, therefore effectively skirting detection. Threatpost commented that “As a result, there have been periodic waves of Joker infestations inside the official store, including two massive onslaughts last year. According to researchers at Zimperium, more than 1,800 Android applications infected with Joker have been removed from the Google Play store in the last four years.”

Why Hasn’t Google Put an End to It?

Threat researchers have found at least 1,000 instances of the trojan on the Google Play store since September 2020. In a threat notice posted by Zimperium on Tuesday, they said, “Malicious actors have routinely found new and unique ways to get this malware into both official and unofficial app stores.”

The threat assessors continued by saying,

“While they are never long for life in these repositories, the persistence highlights how mobile malware, just like traditional endpoint malware, does not disappear but continues to be modified and advanced in a constant cat-and-mouse game.”

One reason hackers have been successful is because attackers are coding these apps using Flutter, an open-source development kit tool that legitimate app makers use to create programs. When the Google scanner sees that the program was coded with Flutter, it incorrectly assesses it as safe.

Researchers explain,

“Due to the commonality of Flutter, even malicious application code will look legitimate and clean, whereas many scanners are looking for disjointed code with errors or improper assemblies.”

New Dangers

Alarmingly, the latest version of Joker comes with some additional surprises. Threatpost warns, “According to the analysis, another anti-detection technique lately adopted by Joker enthusiasts is the practice of embedding the payload as a .DEX file that can be obfuscated in different ways, such as being encrypted with a number, or hidden inside an image using steganography. Sometimes in the latter case, the image is hosted in legitimate cloud repositories or on a remote command-and-control (C2) server, researchers said.”

Unfortunately, these new and very dangerous apps are making their way into other app marketplaces, for example, AppGallery – the official app store for Huawei Android. Again, Threatpost hammers home the danger, “According to Doctor Web back in April, the apps were downloaded by unwitting users to more than 538,000 devices.”

Threatpost also warns that the threat is not just to individuals but also companies, “These malicious applications can find their way into the enterprise when an infected device is enrolled in a company’s bring-your-own-device (BYOD) program, and suddenly you have a new threat vector,” he said via email. “We hope to see better app review processes by Apple and Google and that consumer and business buyers continue to educate themselves on how to select appropriate mobile applications.”