Hackers and Google Play have been involved in a tense dance for the past ten years. The hackers sneak malware into Google's own Android app repository. Google throws it away and develops defense mechanisms to prevent it from happening again. Then the hackers find a new opening and do it again. This two-step step has happened again, this time with a malware family called Joker, which Play has infiltrated since at least 2017.
The joker is malicious code that lurks in apparently legitimate apps. It often takes hours or days after installing the app to bypass Google's automatic malware detection. On Thursday, researchers from the security firm Check Point said the joker had struck again, this time in 11 apparently legitimate apps that were downloaded about 500,000 times from Play. Once activated, the malware allowed the apps to secretly subscribe users to expensive premium services.
The new variant has found a new trick that remains undetected: it has hidden its malicious payload in the so-called manifest. A file that Google must include in its root directory from each app. Google wants the XML file to be more transparent by easily finding permissions, icons, and other information about the app.
The Joker developers have found a way to use the manifest to their advantage. Their apps contained harmless code for legitimate things like sending SMS or displaying pictures in the expected parts of the installation file. They then hid the malicious code in the manifest's metadata.
The developers added two more stealth layers. First, the malicious code was stored in 64-coded basic strings that cannot be read by humans. Second, the malicious payload would remain inactive while Google was evaluating the apps. The joker code is only loaded and executed after the app has been approved. Google removed the apps after Check Point reported them.
In January, Google published a detailed description of Bread – the alternate name for the joker – that outlines the many ways to defend yourself. The post said that Play Protect – Google's automated scanning service – recognized 1,700 unique apps and removed them from the Play Store before they were ever downloaded. Checkpoint's discovery of a new suite of apps downloaded half a million times underscores Play Protect's limitations.
"Our latest findings show that Google Play Store protection is insufficient," Aviran Hazum, Check Point's mobile research manager, wrote in an email. “We saw numerous cases of joker uploads to Google Play every week, all of which were downloaded by unsuspecting users. The Joker malware is difficult to spot, although Google has invested in adding Play Store protection. Even though Google has removed the malicious apps from the Play Store, we can assume that Joker will adapt again. "
To prevent detection, earlier joker variants often received the harmful payload – in the form of a dynamically loaded dex file – from a command and control server after the app had already been installed. As Google's defenses improved, this method became less effective. The developers' solution was to save the dex file – in the form of base 64 strings – in the manifest. To be activated, the payload only had to be confirmed by the control server that the campaign was active. Check Point has also found another wildcard variant that has hidden the 64 basic strings in an internal class of the main app.
The 11 Apps Check Point found are:
- com.cheery.message.sendsms (two different instances)
Anyone who has installed one of these apps should check their bills for undetected fees.
Most readers are now familiar with the safety instructions for Android apps. The most important thing is that users install apps sparingly and only if they offer a real benefit or are really necessary. If possible, users should prefer apps from known developers, or at least those with websites or some other history that indicates that it is not a night flight. Users should regularly check which apps are installed and remove apps that are no longer used.