Billing Fraud Malware Bypasses Google Play Store Protections, Again

Billing Fraud Malware Bypasses Google Play Store Protections, Again

The infamous malware, known as Joker, adapts to hide in the “essential information” file every Android app is required to have, invisibly subscribing victims to premium services without their knowledge.

  • Google describes malware as having “used just about every cloaking and obfuscation technique under the sun in an attempt to go undetected”
  • Malware targets legitimate-looking applications. Example: Flowers Wallpaper-HD Application
  • 11 infected applications removed from Play Store

Recently, Check Point researcher, Aviran Hazum, identified a new method the Joker malware has been leveraging. This time, the Joker malware hides malicious code inside what’s called the “Android Manifest” file of a legitimate application. Every application must have an Android Manifest file in its root directory. The manifest file provides essential information about an app, such as name, icon and permissions, to the Android system, which the system must have before it can run any of the app’s code. This way, the malware does not need to access a C&C server, which is a computer controlled by a cybercriminal used to send commands to systems compromised by malware, to download the payload, the portion of the malware which performs the malicious action.

Aviran Hazum outlined Joker’s new method in three steps:

  1. Build payload first. Joker builds its payload beforehand, inserting it into the Android Manifest File.
  2. Skip payload loading. During evaluation time, Joker does not even try to load the malicious payload, which makes it a lot easier to bypass Google Play Store protections.
  3. Malware spreads. After the evaluation period, after it’s been approved, the campaign starts to operate, malicious payload decided and loaded.

Aviran Hazum, Manager of Mobile Research at Check Point Software Technologies shares “Joker adapted. We found it hiding in the “essential information” file every Android application is required to have. Our latest findings indicate that Google Play Store protections are not enough. We were able to detect numerous cases of Joker uploads on a weekly basis to Google Play, all of which were downloaded by unsuspecting users. The Joker malware is tricky to detect, despite Google’s investment in adding Play Store protections. Although Google removed the malicious apps from the Play Store, we can fully expect Joker to adapt again. Everyone should take the time to understand what Joker is and how it hurts everyday people.”

Responsible Disclosure

Check Point researchers responsibly disclosed its findings to Google. All reported applications (11 apps) were removed from the Play Store by April 30, 2020.

How to Stay Protected

If you suspect you may have one of these infected apps on your device, here’s what you should do:

  • Uninstall the infected application from the device
  • Check your mobile and credit-card bills to see if you have been signed up for any subscriptions and unsubscribe if possible
  • Install a security solution to prevent future infections

This site uses Akismet to reduce spam. Learn how your comment data is processed.