Hackers and Google Play have been caught up in a tense dance over the past decade. The hackers sneak malware into the Google-owned Android app repository. Google throws it out and develops defenses to prevent it from happening again. Then the hackers find a new opening and do it all over again. This two-step has played out again, this time with a malware family known as the Joker, which has been infiltrating Play since at least 2017.
The Joker is malicious code that lurks inside seemingly legitimate apps. It often waits hours or days after the app is installed to run in an attempt to evade Google’s automated malware detection. On Thursday, researchers with security firm Check Point said the Joker has struck again, this time lurking in 11 seemingly legitimate apps downloaded from Play about 500,000 times. Once activated, the malware allowed the apps to surreptitiously subscribe users to pricey premium services.
The new variant found a new trick to go undetected—it hid its malicious payload inside what’s known as the manifest, a file Google requires every app to include in its root directory. Google’s intent is for the XML file to provide more transparency by making permissions, icons, and other information about the app easy to find.
The Joker developers found a way to use the manifest to their advantage. Their apps included benign code for legitimate things such as texting or displaying images in the expected parts of the installation file. They then hid the malicious code inside the metadata of the manifest.
The developers added two more layers of stealth. First, the malicious code was stored in base 64-encoded strings that aren’t human readable. Second, during the period Google was evaluating the apps, the malicious payload would remain dormant. Only after the app was approved would the Joker code get loaded and executed. Google removed the apps after Check Point reported them.
In January, Google published a detailed description of Bread—the alternate name for the Joker—that enumerated its many ways of bypassing defenses. The post said that Play Protect—Google’s automated scanning service—had detected and removed 1,700 unique apps from the Play Store before ever being downloaded. Checkpoint’s discovery of a new batch of apps downloaded a half million times underscores the limits of Play Protect.
“Our latest findings indicate that Google Play Store protections are not enough,” Aviran Hazum, Check Point’s manager of mobile research, wrote in an email. “We were able to detect numerous cases of Joker uploads on a weekly basis to Google Play, all of which were downloaded by unsuspecting users. The Joker malware is tricky to detect, despite Google’s investment in adding Play Store protections. Although Google removed the malicious apps from the Play Store, we can fully expect Joker to adapt again.”
To prevent detection, earlier Joker variants often obtained the malicious payload—in the form of a dynamically loaded dex file—from a command and control server after the app was already installed. As Google’s defenses have improved, that method became less effective. The developers’ solution was to store the dex file—in the form of base 64 strings—inside the manifest. To be activated, the payload needed only confirmation from the control server that the campaign was active. Check Point also found another Joker variant that hid the base 64 strings inside an internal class of the main app.
The 11 apps Check Point found are:
- com.cheery.message.sendsms (two different instances)
Anyone who has had one of these apps installed should check their billing statements for unrecognized charges.
By now, most readers know Android app security advice cold. Most importantly, users should install apps sparingly and only when they provide a true benefit or are really necessary. When possible, users should favor apps from known developers, or at least those with websites or other history that indicates they’re not a fly-by-night operation. People should periodically check what apps are installed and remove any that are no longer in use.
Author: Dan Goodin