At the end of last year, we saw the Joker malware surface and spread like a wildfire. A new variant of the Joker Dropper and Premium Dialer spyware in the Google Play Store has been discovered in the recent report from the Check Point researchers. They were found hiding inside seemingly legitimate applications. This new updated Joker malware can download additional malware to the user, which in effect subscribes to a number of premium services without their consent.
Meanwhile, Google has pulled 11 devices from the Play Store that have been compromised with the infamous Joker malware. Applications include
com.imagecompress.android, com.relax.relaxation.androidsms, com.cheery.message.sendsms (two separate instances), com.peason.lovinglovemessage, com.contact.withme.texts, com.hmvoice.friendsms, com.file.recovefiles, com. LPlocker.lockapps, com.remindme.alram, com.training.memorygame
Joker malware: everything you should know
Researchers have said that with small changes to its code, the Joker malware will get past the Play Store’s security and check barriers. This time along the Joker malware has adopted an old technique from the conventional PC threat landscape to avoid Google detection. The newly modified Joker virus uses two main components to subscribe to premium services for users of apps. The following components are: Notification Listener service and dynamic dex file loaded from the C&C server.
To minimize the code of the Joker, the developer hid the code by dynamically loading it to the dex file, while at the same time, ensuring that it was fully loaded when it was triggered. The code within the dex file is encoded as Base64 encoded strings, which start decoding and loading as soon as the victim opens the affected apps.
The original Joker malware communicated with C&C, and then downloaded the dynamic dex file that was loaded as casses.dex. However, the new modified version of the code is embedded in another zone, with the classes.dex file loading a new payload. The malware is triggered by the creation of a new object that communicates with C&C.
How to Fix it
Since the payload is encoded in Base 64 strings, the only thing the actor had to do to conceal the file was to set the C&C server to return “false” to the status code if the tests were running.
Check all of your software carefully and see if they’re from a non-trusted developer. When you feel like you have downloaded an infected file, you can delete it immediately. You should check your mobile and credit card bills for any problems. If you have any conversation with the bank and unsubscribe from these charges. Finally , it is recommended that users install an antivirus software on their smartphones to avoid infections.