Joker Malware is a family of prevalent Android malware, notorious for billing fraud and spyware capabilities, that was first discovered in 2017.
Infamously called Joker, the malware has found a new trick to bypass Google's Play Store security by obfuscating the malicious DEX file as Base64 encoded strings, and then decodes and loading it on the compromised devices.
According to Check Point’s researchers, the new variant of Joker is fully capable of downloading additional malware to the compromised device, and stealthingly subscribing the user to premium services.
The malware hides under the guise of legitimate apps to subscribe unsuspecting Android users for premium services without their consent or knowledge.
Joker's earlier Malware Campaigns
Joker was first discovered in 2017, as one of the most prevalent Android malware, notorious for billing fraud and spyware capabilities, including stealing SMSes, contact lists, and device information.
Earlier campaigns involving Joker were uncovered by Trend Micro, with a number of malware-infected Android apps which are repeatedly finding ways to exploit security gaps in Google's Play Store malware checks.
The authors behind the large-scale malware operation have resorted to a variety of ways to avoid detection, like using encryption to hide strings from analysis engines, and fake reviews to lure unsuspecting users into downloading the apps.
The old technique was referred to as versioning that involves initially uploading a clean version of the app, and then later, loading malicious code via app updates.
Joker using Android Manifest to hide Malicious DEX File
The lastest trick by Joker involves using Android Manifest to hide its Malicious DEX File, while the goal remains the same, it leverages the Android app's manifest file, which it uses to load a Base64 encoded DEX file or a similar technique of hiding the .dex file as Base64 strings.
And for subscribing Android users to premium services without their knowledge or consent, the new Joker utilizes two components, namely: the Notification Listener and a dynamic dex file loaded from the C&C server to perform the fraudulent registration.
Therefore, it's recommended that Android users should check their mobile and transaction history to see if there are suspicious payments that they don't recognize. Additionally, they should scrutinize the permissions granted to every app installed on their Android device.