A new set of Joker malware variants has been identified spreading through the Google Play Store. To get around Google’s malware detection engine, some variations employ sophisticated techniques.
The new variations were identified by Cyble Research Labs which was found to be targeting Android users from Thailand.
The malware uses mobile data to access cellular webpages (payment endpoints) and conduct carries out unauthorized payment transactions. It also steals OTPs, which are used to authenticate transactions.
To carry out malicious actions, the variants use several obfuscation techniques and multi-stage payloads.
Additional Info
To spread the new variants of the malware, the hackers have designed malicious apps that looks like ordinary, genuine apps.
One Joker variant was seen exploiting the popularity of Squid Game to lure unsuspecting victims in recent attacks.
In another case, the malicious program purported to be an official LED flasher app, which uses LED for incoming calls and SMS notifications.
Working Mechanism
The new variant in the flasher app uses three multi-stage payloads to carry out malicious activities. Furthermore, this variant requests for 18 different permissions from Android, three of which are used by the malware.
The variant begins by loading an APK file, which then loads a shared object (.so) file, which then downloads and loads the APK file. A code for downloading the first-stage payload is concealed in the.so file.
The payload in the second stage is an APK file containing code for gathering OTPs using the notification listener service.
The payload in the last stage is a Jar file containing a billing fraud code.
Concluding Words
For Android users, the Joker malware is a sophisticated and severe security threat. Furthermore, malware creators are always using updated techniques such as multi-stage payloads to escape detection. To be secure from these threats, experts recommend avoiding apps from untrustworthy third-party sources and monitoring the behaviour of installed apps.