Active since 2017, this Trojan hides in common legitimate-looking apps, including photo editing tools, mobile games, messaging platforms, translators and other tools. After being installed on the affected devices, Joker begins intercepting sms messages from the victim to perform unauthorized subscriptions to Premium services, in addition to stealing information from the devices.
In this new wave, which began in September 2020, at least 1000 Joker samples have been detected in apps available on the Google Play Store and other third-party platforms: “Hackers found new ways to introduce this malware into official and unofficial app stores,” zimperium’s report mentions.
Apparently, the developers of the latest version of Joker take advantage of legitimate developer techniques to hide any hint that the application hides a set of malicious, legacy-based tools. This attack method helps evade device-based security and protection in the app stores.
According to the report, this can be done with Flutter, an open source application development kit created by Google that allows developers to create native applications for mobile, web and desktop devices from a single code base. Using Flutter to code mobile apps is a common approach, so most scanners consider it a benign development.
Experts mention that another technique to evade detection of these malicious tools is embedding a payload such as .DEX files, which can be obfuscated in multiple ways, including steganography.
Finally, experts mention that the new samples also take extra precautions to remain hidden after installing an application with Trojans. “After installation, the infected app will run a scan using Google Play APIs to check the latest version of Google Play Store installed on the device. If there is no response, the malware remains silent, as it can run on a dynamic analysis emulator,” the report says.
For security reasons, users are advised not to install applications available on unofficial platforms, as there is no way to know if these tools are infected with malware. For apps available on the Play Store, it’s best not to install apps from developers without high ratings.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
He is a cyber security and malware researcher. He studied Computer Science at Miami and started working as a cyber security analyst in 2008. He is actively working as an cyber security investigator. He also worked for security companies like Cisco. His everyday job includes researching about new cyber security incidents. Also he has deep level of knowledge in enterprise security implementation.