Joker was first identified and tracked three years ago and is described by Google as one of the most persistent threats it has had to deal with since 2017. Its coders have used “just about every cloaking and obfuscation technique under the sun” to try to throw it off the scent.
Joker is a combination spyware and premium dialler app that hides inside legitimate-looking apps, for example apparently innocuous wallpaper downloads.
However, once installed on its victim’s device, it can access notifications, read and send SMS texts. It uses these capabilities to subscribe victims to premium rate services.
According to Check Point’s Aviran Hazum, who has been on its trail for some time, Joker has recently had an update and now deploys a new method whereby it hides malicious code inside the Android Manifest file of a genuine app.
The Android Manifest file contains essential information about the app, such as its name, icon and permissions – information that it must provide to the target device’s Android system before it can run any of its code.
By doing this, said Hazum, Joker does not need to access a command and control (C2) server in order to download its malicious payload, because the payload is now prebuilt and ready to go. This has the effect of making it much easier for Joker to slip unnoticed past the Google Play Store’s protections.
“Joker adapted,” said Hazum. “We found it hiding in the “essential information” file every Android application is required to have. Our latest findings indicate that Google Play Store protections are not enough. We were able to detect numerous cases of Joker uploads on a weekly basis to Google Play, all of which were downloaded by unsuspecting users.
“The Joker malware is tricky to detect, despite Google’s investment in adding Play Store protections. Although Google removed the malicious apps from the Play Store, we can fully expect Joker to adapt again. Everyone should take the time to understand what Joker is and how it hurts everyday people.”
Hazum advised Android users what to do if they feel they may have an app infected with Joker on their device. Firstly, uninstall the app immediately, before checking mobile and credit card bills to see if you have been signed up for any subscriptions you do not recognise, and be prepared to cancel and/or dispute these. If wanted, it may also be advisable to install a mobile security service on the device to guard against future infections – multiple services are available.
Check Point disclosed the existence of the 11 compromised apps to Google through its disclosure programme, and they were removed by 30 April 2020.
Read more about Android security
- Manufacturers of Android devices including Huawei, Samsung and Xiaomi shipped devices with different levels of security in different regions, leaving their users exposed to attack.
- Mobile admins must understand the nature of the most recent Android security threats so they can protect users, but it is crucial to know where these verified threats are listed.
- Android is just as secure as its competitors’ OSes, but IT should still remain vigilant. Here are three ways to secure Android devices for the enterprise.