Joker Android Malware Laughs At Google Play Security Again In Premium Billing Scam

android malware
The researchers at Check Point Security are warning about a new strain of the Joker Dropper malware that has found its way into the Google Play Store (again). Unfortunately for unassuming Android users, Joker is a rather old piece of malware dating back to 2017, which keeps "reinventing" itself to circumvent security protections put in place by Google.

The latest version of Joker is using nefarious means to subscribe its Android victims to premium services, which pads their monthly cell phone bills with additional charges. In this latest iteration, Joker hides its code in the Android manifest file for an app. By going this route, Joker doesn’t need to access a command and control (C&C) server to download its malicious payload.

In order to mask Joker's nefarious deeds, the folks at Check Point says that the malware developers have also adopted techniques previously used on PC platforms. "This new variant now hides the malicious dex file inside the application as Base64 encoded strings, ready to be decoded and loaded," writes Check Point. 

joker 1

The researchers notified Google of their findings, and 11 apps infected with Joker were removed from Google Play as of April 30th, 2020. The infected apps included the following:

  • com.hmvoice.friendsms
  • com.relax.relaxation.androidsms
  • com.cheery.message.sendsms
  • com.cheery.message.sendsms
  • com.peason.lovinglovemessage
  • com.file.recovefiles
  • com.LPlocker.lockapps
  • com.remindme.alram

The primary method of attack for Joker is to install itself through seemingly legitimate app, and then download additional software that allows it to both read and send SMS texts. With Android's security compromised, it then secretly signs victims up for premium services, which is a frequent type of billing fraud. 

"The Joker malware is tricky to detect despite Google's investment in adding Play Store protections. Although Google removed the malicious apps from the Play Store, we can fully expect Joker to adapt again," said Check Point’s Aviran Hazum. "Everyone should take the time to understand what Joker is and how it hurts everyday people.

“We found it hiding in the 'essential information' file every Android application is required to have. Our latest findings indicate that Google Play Store protections are not enough. We were able to detect numerous cases of Joker uploads on a weekly basis to Google Play, all of which were downloaded by unsuspecting users."

If you have installed any of the above apps on your Android device, you should uninstall them immediately. After that, check your cell phone bill for any mysterious charges that may have popped over the past few months and dispute them with your wireless carrier.