A new set of variants of Joker malware has been discovered spreading via the Play Store. These variants make use of sophisticated techniques to avoid Google’s malware detection engine.

What has happened?

Cyble Research Labs discovered the new variants, which are targeting Android users from Thailand.
  • The malware accesses cellular webpages (payment endpoints) by mobile data and carries out unauthorized payment transactions. Additionally, it steals OTPs used as authentication for transactions.
  • The variants are using several obfuscation techniques and multi-stage payloads to carry out malicious actions.

Additional insights

To spread the new variants, the attackers have created malicious apps posing as common, legitimate applications.
  • In the recent attacks, one Joker variant was observed exploiting the popularity of Squid Game to lure unsuspecting victims.
  • In another case, the malicious app pretended to be an official LED flasher app that uses LED as notifications for incoming calls and SMSs.

Technical details

The new variant present in the flasher app is performing malicious activities using three multi-stage payloads. Moreover, this variant requests 18 different permissions from Android, out of which the malware uses three permissions.
  • In the initial stage, the variant uses an APK file that loads a shared object (.so) file that further downloads and loads the APK file. In the .so file, a code is hidden for downloading the first-stage payload.
  • In the second stage, the payload is an APK file containing a code to gather OTPs using the notification listener service.
  • In the last stage, the payload is a Jar file that has a billing fraud code.

Conclusion

The Joker malware is a sophisticated and dangerous threat for Android users. Moreover, the malware developers are regularly using updated techniques, such as multi-stage payloads, to avoid detection. Therefore, experts recommend avoiding apps from non-trustworthy third-party sources and monitoring the behavior of installed apps to stay protected. 

Cyware Publisher

Publisher

Cyware