A new variant of the Joker Dropper and Premium Dialer spyware has been discovered in the Google Play Store, according to researchers at Check Point.
Joker, one of the most prominent types of malware for Android, keeps finding its way into Google’s official application market as a result of small changes to its code, which enables it to get past the Play store’s security and vetting barriers.
This time, however, researchers report that the malicious actor behind Joker adopted an old technique from the conventional PC threat landscape and used it in the mobile app world to avoid detection by Google.
To realize the ability of subscribing app users to premium services without their knowledge or consent, the Joker utilized two main components – the Notification Listener service that is part of the original application and a dynamic dex file loaded from the C&C server to perform the registration of the user to the services.
In an attempt to minimize Joker’s fingerprint, the actor behind it hid the dynamically loaded dex file from sight while still ensuring it is able to load – a technique which is well-known to developers of malware for Windows PCs.
This new variant now hides the malicious dex file inside the application as Base64 encoded strings, ready to be decoded and loaded.
If you suspect you may have one of these infected apps on your device, here are three things you should do:
- Uninstall the infected application from the device
- Check your mobile and credit-card bills to see if you have been signed up for any subscriptions and unsubscribe if possible
- Install a security solution to prevent future infections
