24 Google Play Apps Found to Distribute the Joker Malware

According to Google Play, the malicious apps that were designed to infect unsuspecting Android users with the new Joker malware were downloaded a total of 472,000 times. The number does seem relatively high, but we must point out that it might not be entirely accurate. Astroturfing techniques are pretty popular with malware operators, which means that the download number can't always be trusted.

Nevertheless, according to researchers from CSIS Security Group, the Joker malware was delivered through a total of 24 applications and was aimed at users in 37 countries, including most of the EU member states as well as some of the biggest markets in the Far East and South America. So, we're not talking about a small campaign. Let's see what the criminals wanted to achieve with it.

Clever obfuscation techniques and specific targeting sets Joker apart

CSIS Security Group's experts didn't say what sort of applications were carrying the Joker malware, and neither did Google, which independently detected the apps and removed them from the Play store. This means that determining the exact demographics of the targeted userbase is not very easy. It's safe to say, however, that this is not the typical spray-and-pray campaign aimed to hit as many people as possible.

Although some of the applications proceed with the infection regardless of the target, most of the Joker apps are programmed to check the user's phone number and see if it's on a list of country codes that is hard-coded inside the application. Some of the apps are designed to abort the operation if they see that the device belongs to a US or a Canadian citizen. It's difficult to say whether the careful picking of targets has anything to do with it, but according to the researchers, bits of Joker's code, as well as a few characteristics of its control panel, suggest that the authors are Chinese.

Once the malicious app decides that the target is fit for infection, it proceeds with downloading the second-stage payload from the Command & Control server (C&C), but it tries to do it as silently as possible. The communication with the C&C is limited to sending out a short report of a successful infection and receiving the payload in an encrypted form. The malware was designed to execute as few Java commands as possible which makes it hard to detect, and to hide their malicious tasks, some of the Joker-infested apps use splash screens.

A premium subscription malware that can do a lot more

Once the second-stage payload is executed, the Joker malware periodically contacts the C&C and waits for instructions. In the campaign CSIS observed, the malicious applications were used to subscribe victims to paid services.

The C&C sends the URL, and Joker uses JavaScript to open it and follow the subscription steps. Many of the premium services Joker uses require an additional code that is sent to the user as an SMS. The malware can read the text message, retrieve the code, and complete the subscription.

CSIS' experts didn't provide too many details on what the victims ended up with, but they did say that some users in Denmark were signed up for a service that costs €6.71 (about $7.40) per week.

It's clear that in this particular campaign, Joker was used for making money. There are a couple of things to suggest that it can be employed for other purposes as well, though.

The fact that it can read text messages indicates quite clearly that a lot of time and effort was put into it, which is not very typical for malware that is used for nothing more than subscribing people for paid services. What's more, when CSIS' researchers took a closer look, they found out that Joker can not only read an SMS, it can also send its contents to the C&C. In addition to this, the experts observed Joker scraping and sending victims' contact lists to the malware's operators. In other words, with a few minor modifications, Joker can be turned into a powerful cyberespionage tool.

Malware appears on Google Play again

CSIS' experts praised Google for removing the malicious apps from the Play store quickly and efficiently. It must be said, however, that they shouldn't have appeared in the first place.

The problem of malware on Android's official app store isn't new, and Google has been trying to find ways of solving it for a while now. Unfortunately, despite supposedly new, improved filters and protection mechanisms, there's no shortage of malicious applications that regularly slip through the net. This means that you still need to be as careful as ever, especially with the permissions new apps request.