Security researchers detected a new variant of the Joker spyware family that had infiltrated Google Play and had begun abusing an old trick to target users.
Check Point Research found that the authors of Joker, a dropper and premium dialer spyware, had once again modified their creation’s code so that the malware would bypass the Play Store’s security mechanisms and conceal itself within seemingly legitimate apps.
Upon successful installation, Joker pulled down additional malware onto a victim’s infected Android device. Those threats then furtively subscribed the user to premium services.
This variant of the spyware family deployed an old trick that it had adopted from the PC threat landscape. Check Point Research revealed that this trick involved the retrieval of a dynamic dex file from Joker’s command-and-control (C&C) server for the purpose of subscribing victims to the premium services:
In an attempt to minimize Joker’s fingerprint, the actor behind it hid the dynamically loaded dex file from sight while still ensuring it is able to load – a technique which is well-known to developers of malware for Windows PCs. This new variant now hides the malicious dex file inside the application as Base64 encoded strings, ready to be decoded and loaded.
Users who believe they’ve been infected with Joker should follow Check Point Research’s advice and uninstall whichever application was responsible for producing the infection from their device. They should also install a mobile security solution to protect their devices against similar infections in the future.
From there, they should keep an eye out on their credit card bills and other account statements to see if they’ve been enrolled in any unfamiliar subscription services. If they have been, they should attempt to unsubscribe. If that doesn’t work, they should contact their payment card company to see if they can block the charge directly.
Mobile users can further protect themselves against threats such as Joker by following these best practices on their devices.