Joker is one of the most prominent malware families that continually target the Android devices, its main activity is to promote clicks on SMS message and subscribe for undesirable paid premium services.
The malware discovered once again in Google play by utilizing modifications in its code, execution approaches, or payload-retrieving strategies.
Joker Malware in Google Play
This prompted us to assess how Joker is so successful at getting around the Google Play vetting procedure. We determined 17 various samples frequently uploaded to Google Play in September 2020. There were a total of around 120,000 downloads for the identified destructive apps, checks out Zscaler blog site post.
Security researchers from the Zscaler ThreatLabZ research team identified regular upload of malware-infected files onto the Google Play store.
Here is the list of impacted apps;
The malware takes users money by subscribing them to paid memberships without their authorization. It stimulates interaction with ads and after that steals victims messages consisting of OTP to authenticate payments.
You can follow us on Linkedin, Twitter, Facebook for everyday Cybersecurity and hacking news updates.
Scenario 2: The destructive apps have stager payload added, the task of this stager payload is to simply obtain the last payload URL from the code, download and execute it.
Scenario 3: Infected apps have 2 stager payloads to download the final payload. the Google Play infected app downloads the stage one payload, which downloads the stage 2 payload, which lastly loads the end Joker payload.
All Good PDF Scanner.
Mint Leaf Message-Your Private Message.
Special Keyboard– Fancy Fonts & & Free Emoticons.
Tangram App Lock.
One Sentence Translator– Multifunctional Translator.
Style Photo Collage.
Talent Photo Editor– Blur focus.
Paper Doc Scanner.
Hummingbird PDF Converter– Photo to PDF.
All Good PDF Scanner.
With all the circumstances the final payload downloaded is the Joker malware and it utilizes DES encryption to execute the C&C activities. It is constantly suggested to inspect out the permissions of the applications that you are setting up.
Scenario 1: The harmful has obfuscated C&C URL embedded in the app for direct download, once installed the harmful app contacts the C&C server for download.
Scientist observed three various infection scenarios.