Security researchers discovered a new Android Trojan with malware dropper and spyware capabilities in 24 Google Play Store apps with more than 472,000 downloads in total.
The new Android malware dubbed ‘Joker’ is hidden within advertisement frameworks used by the compromised apps — some with over 100,000 installs — and it is designed to download a second-stage component as a DEX file that adds more capabilities.
This additional malicious component which simulates user interaction on ad sites, and will also harvest its victims’ device info, contact list, and text messages.
“The automated interaction with the advertisement websites includes simulation of clicks and entering of the authorization codes for premium service subscriptions,” as CSIS Security Group recently found.
Joker utilizes its SMS collection module to sign its victims up for premium subscriptions using the authorization codes automatically extracted from the authorization text messages.
Only Android users from a very specific list of countries are currently targeted by the Joker Trojan — including but not limited to Australia, France, Germany, India, the UK, and the U.S. — with the vast majority of infected apps found by the researchers containing a hardcoded list of Mobile Country Codes.
The malware compares the SIM card’s country code with the hardcoded list to check if the victim is from the targeted countries and the second stage component to be dropped.
However, “most of the discovered apps have an additional check, which will make sure that the payload won’t execute when running within the US or Canada.”
An additional method making analysis harder is the use of “custom string obfuscation schemes for all of the configuration, payload, communication parsing procedures.”
Joker’s second stage component periodically checks for new commands to execute by reaching out to its command and control (C2) server based on a pre-defined schedule and will proceed to open the domains with premium offers sent by the campaign’s operators.
The authorization codes to sign its victims up for various paid subscriptions are harvested by interacting with the premium offers pages or by texting premium numbers using offer codes found on the advertisement pages — they will also be exfiltrated to the C2 servers for a yet unknown reason.
This malicious component is also the one responsible for collecting all the victim’s contacts from the phone’s address book, contacts that will get sent in encrypted form to the attackers’ data storage servers.
While Joker started being active around early June based on DNS metadata information related to its activity, ” the major version digits in the build names give an impression of a slightly longer life cycle, potentially with more campaigns in the past.”
Google has removed all Joker-infected apps from the Play Store while CSIS Security Group was analyzing the Trojan’s activity without the researchers having to report any of them.
This shows that the Google Play Protect built-in malware protection and Google’s security researchers can discover and actively remove previously undetected malware strains from the Play Store although some sneak in undetected once in a while.
For instance, during last month, researchers spotted a Trojan Dropper malicious module hidden within the Android app CamScanner which was downloaded over 100 million times by Google Play Store users.
Previously, a clicker Trojan bundled within over 33 apps with another 100 million downloads were also distributed via Google’s official Android store, as was an Android app with spyware capabilities borrowed from the open-source AhMyth Android RAT twice over a period of two weeks.
A full list of indicators of compromise (IOCs) including malware sample hashes, C2 domains used by the attackers, and the package names of infected Android apps are available at the end of CSIS Security Group’s analysis of the new Android Joker Trojan.