A research firm has reported that 24 apps in Google Play Store that were collectively downloaded 472000 times were found to be infected with Joker, a new Android malware delivering a payload perpetrating both ad fraud and data theft.

Joker’s second-stage malware is a .dex (Dalvik Executable) file which has the capability of stealing victims’ SMS messages, contact lists, as well as device information. According to CSIS malware analyst Aleksejs Kuprins in his company’s tech blog, Joker secretly interacts with advertisement websites in order to generate fake clicks. Infected victims are also signed up for a premium service subscriptions they didn’t ask for.

Kuprins mentioned that the malware requests these unauthorised subscriptions by “automating the necessary interaction with the premium offer’s webpage, entering the operator’s offer code, then waiting for a SMS message with a confirmation code and extracting it using regular expressions”. “The Joker then submits the extracted code to the offer’s webpage to authorise the premium subscription”, he continues.

Kuprins also said that Google was aware of the malicious apps and has been actively removing the malicious apps from Google Play Store. CSIS reported that the Joker will download the malicious payload only if the user’s SIM card comes from one of the following 37 countries; Australia, Austria, Belgium, Brazil, China, Cyprus, Egypt, France, Germany, Ghana, Greece, Honduras, India, Indonesia, Ireland, Italy, Kuwait, Malaysia, Myanmar, Netherlands, Norway, Poland, Portugal, Qatar, Republic of Argentina, Serbia, Singapore, Slovenia, Spain, Sweden, Switzerland, Thailand, Turkey, Ukraine, United Arab Emirates, United Kingdom and the U.S.

Even though the U.S. and Canada are one of the countries being targeted in this attack, most of the apps published in these two countries have additional instructions to prevent the attack from being executed.

The core payload is “small and silent”, CSIS reported. It uses minimal Java code and generated very little footprint, in the hopes of preventing to be caught. The Joker receives, commands, and code through HTTP, while running the code through JavaScript-to-Java callbacks in order to protect against static analysis. The user interface of its C2 panel and the comments in the malware’s code are both written in Mandarin, which is a possible hint as to attack attribution.

Condition Zebra (an International IT security services, training and certification provider) would like to advise to all users, if you were one of the nearly half-a-million people to download any of the apps listed below, please check your bank/credit card statement for any suspicious transactions.

Here are the full list of apps infected with Joker Malware:

1. Advocate Wallpaper
2. Age Face
3. Altar Message
4. Antivirus Security – Security Scan
5. Beach Camera
6. Board picture editing
7. Certain Wallpaper
8. Climate SMS
9. Collate Face Scanner
10. Cute Camera
11. Dazzle Wallpaper
12. Declare Message
13. Display Camera
14. Great VPN
15. Humour Camera
16. Ignite Clean
17. Leaf Face Scanner
18. Mini Camera
19. Print Plant scan
20. Rapid Face Scanner
21. Reward Clean
22. Ruddy SMS
23. Soby Camera
24. Spark Wallpaper

Stay informed about the cybersecurity news and prevent yourself from being a victim, bookmark our blog now!

Source: SCMagazine