A new Android malware called Joker, that hides behind the advertisement framework of the compromised apps, has been found to be active since early June. It signs users up for premium subscriptions and steals personal data. A total of 24 Play Store apps, including ones with over 100,000 downloads, have been found to be infected with this malware.
How does it operate?
All the harvested data is encrypted and sent to the command-and-control server.
Many of the Joker-infected apps primarily target European and Asian countries. It has also been discovered that most of these apps have an additional check to ensure that the payload doesn’t execute when running in the US or Canada.
CSIS Security Group announced,“The full list of 37 targeted countries includes: Australia, Austria, Belgium, Brazil, China, Cyprus, Egypt, France, Germany, Ghana, Greece, Honduras, India, Indonesia, Ireland, Italy, Kuwait, Malaysia, Myanmar, Netherlands, Norway, Poland, Portugal, Qatar, Republic of Argentina, Serbia, Singapore, Slovenia, Spain, Sweden, Switzerland, Thailand, Turkey, Ukraine, United Arab Emirates, United Kingdom and United States.” They have also released the list of indicators of compromise.
The compromised apps contain a set of Mobile Country Codes. The country code of the potential victim’s SIM card is compared with this list. If it matches, Joker goes ahead and downloads the second-stage malicious component.
Google is continuously weeding out all the infected apps from the Play Store. However, it is recommended that Android users grant app permissions only after verifying them for each app they download.