Joker is one of the most prominent malware families that continuously target the Android devices, it’s main activity is to stimulate clicks on SMS message and subscribe for unwanted paid premium services.
The malware found again in Google play by employing changes in its code, execution methods, or payload-retrieving techniques.
Security researchers from the Zscaler ThreatLabZ research team identified regular upload of malware-infected files onto the Google Play store.
This prompted us to evaluate how Joker is so successful at getting around the Google Play vetting process. We identified 17 different samples regularly uploaded to Google Play in September 2020. There were a total of around 120,000 downloads for the identified malicious apps, reads Zscaler blog post.
Here is the list of affected apps;
The malware steals users’ money by subscribing them to paid subscriptions without their consent. It stimulates interaction with ads and then steals victims’ messages including OTP to authenticate payments.
Researchers observed three different infection scenarios
Scenario 1: The malicious has obfuscated C&C URL embedded in the app for direct download, once installed the malicious app contacts the C&C server for download.
Scenario 2: The malicious apps have stager payload added, the job of this stager payload is to simply retrieve the final payload URL from the code, download and execute it.
Scenario 3: Infected apps have two stager payloads to download the final payload. the Google Play infected app downloads the stage one payload, which downloads the stage two payload, which finally loads the end Joker payload.
With all the scenarios the final payload downloaded is the Joker malware and it uses DES encryption to execute the C&C activities. It is always recommended to check out the permissions of the applications that you are installing.
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.
Through the use of XLoader and impersonating SharePoint notifications, researchers were able to identify a…
Researchers have identified a rise in malicious activity on the VSCode Marketplace, highlighting the vulnerability…
TA397, also known as Bitter, targeted a Turkish defense organization with a spearphishing email containing…
BADBOX is a cybercriminal operation infecting Android devices like TV boxes and smartphones with malware…
Europol has published a groundbreaking report titled "Leveraging Legitimacy: How the EU’s Most Threatening Criminal Networks…
The Cybersecurity and Infrastructure Security Agency (CISA) has unveiled a proposed update to the National…