The Joker (Joker) malware, which borrows the name of the famous villain, has a repeating modus operandi: it arrives disguised on Google Play as if it were a keyboard customization app, wallpaper, photo editor or a minigame. Detected, suspicious applications are removed. Then the Joker makes some adjustments and goes through the automatic checks again.
On the website of Zscaler, a cloud security company, researchers say that the malware always finds “a little way” to return to Google’s official store, and even in other large ones, such as Huawei’s. According to experts, The Joker is designed to steal SMS messages, contact lists and enroll its victims in wireless application protocol (WAP) services.
Recurring malware has been in the Zscaler team’s crosshairs for a long time, but the company has recently noticed a veritable pandemic of uploads on Google Play. As soon as the Joker’s presence was confirmed, the Google Android security team was alerted to the removal of more than a dozen infected apps.
How does the Joker attack?
According to Zscaler’s analysis, cybercriminals use a technique called versioning: they release completely harmless versions of the app to get past Google’s security filters. After gaining the trust of users, the Joker adopts three different tactics to infiltrate the store.
The first strategy is to directly embed the URL of the command and control server (C2) in the code itself. However, so that it cannot be read in a reverse engineering process, cybercriminals obfuscate the string, making the bytecode virtually unreadable.
The second tactic is to download a second-stage malware payload, which encodes the URLs with an Advanced Encryption Standard (AES), making them equally undetectable. Finally, in the final payload, the malicious code employs the traditional Data Encrypted Standard (DES) algorithm to transform the string into a block of ciphertext.