
Last year we saw the Joker malware surface and spread like wildfire. The latest report from researchers has discovered a new variant of the Joker and Premium Dialer spyware in Google Play Store. These were found hiding inside of applications. This new ‘Joker’ malware can download malware to the device, which in turn subscribes the vicitm to a number of premium services without their permission. Google has removed 11 apps from the Play Store due to Joker malware attack. The application include com.imagecompress.android.com, com.training.memorygame, com.remindme.alram, com.LPlocker.lockapps, com.file.recoverfiles, com.hmvoice.friendsms, com.contact.withme.text, com.peason.lovinglovemessage, com.cheery.message.sendsms and com.relax.relaxation.androidsms.
Also Read: Relience Jio launch JioMeet app
Everything about: Joker malware
The researchers have said that with small changes to it’s code Joker malware get the Play Store security and vetting barriers. This time Joker malware has back with an old technique from the conventional PC threat landscape to keep them save from Google. The newly malware uses two main components to subscribe, app users to premium services. These components are: dynamic Dex file loaded from the C&C server and Notification Listener service.
To minimise the Joker code developer hid the code by dynamically loading it onto a Dex file, at same time ensuring that it is also to completely load when open. The code inside of Dex file is encoded as base64 encoded strings, that start decoding and loading as soon as the user opens the affected application. The original ‘Joker’ malware communicated with the C&C and downloaded the dynamic Dex file, which was loaded as casses.dex file loading a new payload. The malware is triggered by creating a new object that communicates with the C&C.