A new variant of the Joker dropper and premium dialer malware recently made its way into 11 apps in the Google Play Store, reports information-security firm Check Point.
According to Check Point's report (opens in new tab), released today (July 9), the creators of Joker have updated its code to enable it to get around Google Play security measures and infect Android devices yet again.
- Stay safer online with the best antivirus software you can get
- Best VPN: pick the ideal provider for watertight privacy
- Just in: Android banking malware downloaded 10,000 times from Google Play
Checkpoint researchers said the latest variant of Joker hid in “seemingly legitimate applications” and installed “additional” malware onto the devices of unsuspecting users.
They explained that the malware then “subscribes the user to premium services without their knowledge or consent.”
The latest strain of Joker was found in 11 different apps, including a flower wallpapers app, a file-recovery app, an alarm app, a memory game and several apps that offered cheery messages or relaxation. All were removed from the Google Play store by April 30, according to a Check Point press release.
Leveraging old tactics
To avoid detection of the malware, Joker’s creators usually make small changes to the code. For example, 24 apps were booted from Google Play in September 2019 for harboring Joker.
But the Check Point researchers said that this time around, the malware developers “adopted an old technique from the conventional PC threat landscape and used it in the mobile app world.”
“To realize the ability of subscribing app users to premium services without their knowledge or consent, the Joker utilized two main components – the Notification Listener service that is part of the original application, and a dynamic dex file loaded from the C&C server to perform the registration of the user to the services,” wrote the researchers.
The researchers said Joker’s creators “hid the dynamically loaded dex file from sight while still ensuring it is able to load”, a method they said is usually adopted by cyber crooks developing Windows malware.
“This new variant now hides the malicious dex file inside the application as Base64 encoded strings, ready to be decoded and loaded.”
What to do if you're infected
For users who have downloaded an infected app onto their device, Check Point recommends that they uninstall it; review their bank statements to see if any payments for unfamiliar subscriptions have come out of their account; and use one of the best Android antivirus apps.
A full list of the Android package names is below. These package names don't always correspond to what the app is called in Google Play or app stores, however.