Billing fraud malware Joker evades Google Play security to infect Android devices. Hidden in legitimate applications, it has targeted Android users to subscribe them to premium services without their consent.
It’s a tricky new variant of the Joker malware, identified by researchers with security firm Check Point. To go undetected, the malware hid its malicious payload inside the metadata of Android Manifest File. Then the malicious code was stored in base 64-encoded strings. The malicious payload would remain dormant, while Google was evaluating the apps. Once the app is approved the developers starts loading the malicious payload.
11 identified, infected apps are:
com.imagecompress.android
com.contact.withme.texts
com.hmvoice.friendsms
com.relax.relaxation.androidsms
com.cheery.message.sendsms
com.cheery.message.sendsms
com.peason.lovinglovemessage
com.file.recovefilescom.LPlocker.lockapps
com.remindme.alram
com.training.memorygame
Aviran Hazum, Check Point’s manager of mobile research, explained “Our latest findings indicate that Google Play Store protections are not enough,” “We were able to detect numerous cases of Joker uploads on a weekly basis to Google Play, all of which were downloaded by unsuspecting users. The Joker malware is tricky to detect, despite Google’s investment in adding Play Store protections. Although Google removed the malicious apps from the Play Store, we can fully expect Joker to adapt again.”Following disclosure by Check point, Google removed 11 identified apps from the Play Store on April 30, 2020.
To stay safe users should check if they have any of the above mentioned 11 apps installed and check their billing statements for unauthorised charges, uninstall the infected application, check if the app is from known developer before downloading and install a security feature to prevent future infections.