The Joker malware is proving rather popular looking at the last few months, and last week saw an influx of apps containing the malware hitting the Google Play Store.

Joker is a rather nefarious piece of malware. First spotted in 2017, the malware simulates clicks and intercepts SMS messages with a view to signing users up to premium subscription services.

According to a report by Threat Post, as many as 11 Android apps containing the malware were removed from the Google Play Store in July.

But Joker continues to prove elusive as Zscaler’s ThreatLabZ research team discovered last week.

“Despite awareness of this particular malware, it keeps finding its way into Google’s official application market by employing changes in its code, execution methods, or payload-retrieving techniques,” wrote senior security researcher, Viral Gandhi.

Just last week, 17 Android apps containing Joker were removed from the Play Store. These apps were:

  • All Good PDF Scanner
  • Mint Leaf Message-Your Private Message
  • Unique Keyboard – Fancy Fonts & Free Emoticons
  • Tangram App Lock
  • Direct Messenger
  • Private SMS
  • One Sentence Translator – Multifunctional Translator
  • Style Photo Collage
  • Meticulous Scanner
  • Desire Translate
  • Talent Photo Editor – Blur focus
  • Care Message
  • Part Message
  • Paper Doc Scanner
  • Blue Scanner
  • Hummingbird PDF Converter – Photo to PDF
  • All Good PDF Scanner

All of these apps have been removed from the Google Play Store.

The question now becomes, how did apps loaded with malware make it past Google’s vetting process that is meant to prevent this sort of thing?

The answer is quite simply, obfuscation.

The team of researchers at Zscaler noted three different tactics employed by Joker to get around Google’s security measures.

In each of the scenarios the malware contacted a command and control server which allowed the download of the final malicious payload.

Each instance used different tactics to obscure the URLs of the C&C servers whether that be encrypting the request to the server or downloading Joker in various stages.

So what can you do to protect yourself?

Unfortunately the advice is to be wary of the permissions some apps request. If for instance, a PDF reader is asking for permission to access your SMS history, you should be suspicious.

With that having been said, we also recommend sticking to apps from verified developers.

[Image – CC 0 Pixabay]