- Google has removed another batch of Android apps from the Google Play Store after analysts with Check Point Research discovered these apps connected to the Joker malware that’s previously bedeviled Google’s app marketplace.
- In the past, the Joker malware has been responsible for everything from stealing SMS messages to spyware.
- This comes as a number of other troubling security-related problems have been found recently involving Android apps and devices.
Lately, it seems like no sooner do we write about a newly uncovered security vulnerability involving sketchy Android apps — or instances like some Android phones apparently hiding undeletable, malicious files and apps on users’ devices — than another similar problem crops right up anew, whack-a-mole style.
This time, it’s a familiar kind of Android malware that’s returned, called “Joker,” that was first identified some three years ago and has been responsible for everything from stealing SMS messages to engaging in billing fraud and spyware. Analysts from Check Point Research found a number of apps using what researchers described as a variant of the Joker malware and which were hiding in the Google Play Store in “seemingly legitimate applications.”
“We found that this updated version of Joker was able to download additional malware to the device, which subscribes the user to premium services without their knowledge or consent,” the Check Point team wrote in a summary of their findings, available here. That report provides the package names for 11 of the offending apps (one of which is listed twice), so you can use these to see if any of them might have been on your handset but under a different identity:
Those apps include a file recovery service, an image compressor, and a wallpaper collection app focused on flowers.
“Joker, one of the most prominent types of malware for Android, keeps finding its way into Google’s official application market as a result of small changes to its code, which enables it to get past the Play store’s security and vetting barriers,” the Check Point team continued in its report. “This time, however, the malicious actor behind Joker adopted an old technique from the conventional PC threat landscape and used it in the mobile app world to avoid detection by Google.”
To subscribe people to premium services without them being aware, the Joker malware apparently used the original applications’ Notification Listener service, as well as a dynamic dex file which the command and control server loaded to perform the actual user registrations.
Check Point says it’s a common technique for developers of Windows PC malware to obscure their code’s “fingerprint” by hiding the dex file while still making sure it’s able to load.
Google has booted these apps from the Play Store, but Check Point’s Aviran Hazum told one news outlet that the Joker malware will nevertheless likely return again in some form. “The Joker malware is tricky to detect, despite Google’s investment in adding Play Store protections. Although Google removed the malicious apps from the Play Store, we can fully expect Joker to adapt again.”
Which is to say, this is probably as good as time as any to remind yourself of best practices when it comes to device usage — for example, only download apps from names you trust. And stay away from developers no one has heard of before if you want to be extra safe, as well as away from apps that have lots of negative reviews.