Hackers and Google Play have been caught up in a tense dance over the past decade. The hackers sneak up malware in the Google-owned Android app repository. Google throws it out and develops defense to prevent it from happening again. Then the hackers find a new opening and do it again. This two step has played again, this time with a malicious family known as the Joker, who has infiltrated Play since at least 201
Joker is malicious code that lurks into seemingly legitimate apps. It often waits hours or days after the app is installed to run in an attempt to avoid Google’s automatic detection of malicious software. On Thursday, researchers with security firm Check Point said the Joker has struck again, this time cheating in 11 seemingly legitimate apps downloaded from Play about 500,000 times. Once enabled, the software allowed the apps to subscribe to expensive premium services in a customary way.
The new variant found a new trick to go undetected – it hid its harmful payload in what is called the manifest, a file that Google requires each app to include in its root directory. Google’s intention is for the XML file to be more transparent by making permissions, icons and other information about the app easy to find.
The Joker developers found a way to use the manifesto to their advantage. Their apps included benign code for legitimate things like captioning or displaying images in the expected parts of the installation file. They then hid the malicious code in the manifest’s metadata.
The developers added two more layers of stealth. First, the malicious code was stored in base 64-encoded strings that are unreadable to humans. Second, during the period Google evaluated the apps, the harmful payload would remain dormant. Only after the app was approved was the Joker code loaded and executed. Google removed the apps after Check Point reported them.
In January, Google published a detailed description of Bread – the alternative name for the Joker – that listed many ways to circumvent defenses. The post said that Play Protect – Google’s automatic scanning service – had discovered and removed 1,700 unique apps from the Play Store before they were ever downloaded. Checkpoints discovered by a new group of apps downloaded half a million times underline the limits of Play Protect.
“Our recent findings indicate that Google Play Store protection is not enough,” Aviran Hazum, Check Point’s mobile research manager, wrote in an email. “We were able to spot many cases of Joker uploads every week on Google Play, all of which were downloaded by no harm to users. Joker malware is hard to detect, despite Google’s investment in adding Play Store protection. Although Google removed malicious apps from the Play Store, we can expect the Joker to adapt again. “
To prevent detection, previous Joker variants often received the malicious payload – in the form of a dynamically loaded dex file – from a command and control server after the app was already installed. As Google’s defense has improved, the method became less effective. The developers’ solution was to store the dex file – in the form of base 64 strings – inside the manifest. In order to be activated, the payload only needed confirmation from the control server that the campaign was active. Check Point also found another Joker variant that hid the base 64 strings in an internal class in the main app.
The 11 apps Check Point found are:
- com.cheery.message.sendsms (two different instances)
Anyone who has installed one of these apps should check their billing information for unknown charges.
Most readers now know security tips for the Android app. Most importantly, users should install apps sparingly and only when they provide a real benefit or are really needed. If possible, users should favor apps from well-known developers, or at least those with websites or other history that indicate they are not a fly-by-night operation. People should regularly check which apps are installed and remove any that are no longer used.