fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Joker Android Malware Keeps Evading Google Play Store Defenses

Joker Android Malware Keeps Evading Google Play Store Defenses

Joker Android malware keeps evading Google Play Store defenses

The threat actor behind the Joker Android malware has once again succeeded to successfully slip spyware infected apps onto the Play Store, Google’s official Android app store.

Android applications infected with Joker malware, a spyware and premium dialer tool also known as Bread and tracked since 2017, were originally designed to perform SMS fraud.

More recently, Joker’s creators have moved to new tactics after Google introduced new Play Store policies which restrict the use of SEND_SMS permissions and increase Google Play Protect’s coverage.

Updated versions of this Android trojan now are used for a type of mobile billing fraud known as toll fraud. Through this new tactic, the Joker’s operators use malicious apps to trick their victims into subscribing to or buying various types of content via their mobile phone bill.

Bypassing Google Play Store’s defenses

A new variant of Joker successfully slipped into the Play Store and infected Android users after hiding the malicious payload as a dex file hidden in the form o Base64 encoded strings within seemingly benign apps’ AndroidManifest files (used to provide Android build tools, the Android OS, and the Google Play Store with essential info about the apps).

This allows the malware to successfully avoid detection while being analyzed during the submission process and to eliminate the need to connect to a command-and-control (C2) server to download the malicious components onto the compromised devices.

In all, Check Point researchers who spotted the new Joker variant reported 11 apps to Google, applications that were removed from the official Android marketplace by April 30, 2020.

Manifest file containing the malicious dex payload

Check Point’s Manager of Mobile Research Aviran Hazum says that the new method of infection used by Joker includes the following three steps:

1. Build payload first: Joker builds its payload beforehand, inserting it into the Android Manifest File.
2. Skip payload loading: During evaluation time, Joker does not even try to load the malicious payload, which makes it a lot easier to bypass Google Play Store protections.
3. Malware spreads: After the evaluation period, after it’s been approved, the campaign starts to operate, malicious payload decided and loaded

“Joker adapted. We found it hiding in the ‘essential information’ file every Android application is required to have,” Hazum explains.

“Our latest findings indicate that Google Play Store protections are not enough. We were able to detect numerous cases of Joker uploads on a weekly basis to Google Play, all of which were downloaded by unsuspecting users.”

A list of malware sample hashes and Android package names for all the apps found to be infected with Joker payloads is available in the table embedded below.

SHA256 hashPackage Name
db43287d1a5ed249c4376ff6eb4a5ae65c63ceade7100229555aebf4a13cebf7com.imagecompress.android
d54dd3ccfc4f0ed5fa6f3449f8ddc37a5eff2a176590e627f9be92933da32926com.contact.withme.texts
5ada05f5c6bbabb5474338084565893afa624e0115f494e1c91f48111cbe99f3com.hmvoice.friendsms
2a12084a4195239e67e783888003a6433631359498a6b08941d695c65c05ecc4com.relax.relaxation.androidsms
96f269fa0d70fdb338f0f6cabf9748f6182b44eb1342c7dca2d4de85472bf789com.cheery.message.sendsms
0d9a5dc012078ef41ae9112554cefbc4d88133f1e40a4c4d52decf41b54fc830com.cheery.message.sendsms
2dba603773fee05232a9d21cbf6690c97172496f3bde2b456d687d920b160404com.peason.lovinglovemessage
46a5fb5d44e126bc9758a57e9c80e013cac31b3b57d98eae66e898a264251f47com.file.recovefiles
f6c37577afa37d085fb68fe365e1076363821d241fe48be1a27ae5edd2a35c4dcom.LPlocker.lockapps
044514ed2aeb7c0f90e7a9daf60c1562dc21114f29276136036d878ce8f652cacom.remindme.alram
f90acfa650db3e859a2862033ea1536e2d7a9ff5020b18b19f2b5dfd8dd323b3com.training.memorygame

Users who suspect that they might have been infected by one of these Joker-infested applications are advised to uninstall the infected apps from their Android device.

They should also check their mobile and credit-card bills to for new subscriptions and immediately unsubscribe (if possible).

Also read: 6 Simple Tips on Cyber Safety at Home

Continuously adapting tactics to slip into Play Store undetected

Google said in January 2020 that approximately 1,700 applications infected with Joker malware were removed from the Play Store by Google’s Play Protect since the company started tracking it during early 2017.

At least one set of such malicious Android apps were able to get into the Play Store as discovered by CSIS Security Group security researchers who found 24 apps with more than 472,000 downloads in total on the marketplace in September 2019.

“Sheer volume appears to be the preferred approach for Bread developers,” Android Security & Privacy Team’s Alec Guertin and Vadim Kotov said at the time.

“At different times, we have seen three or more active variants using different approaches or targeting different carriers. [..] At peak times of activity, we have seen up to 23 different apps from this family submitted to Play in one day.”

Joker’s creators are continually forced to switch tactics and to look for gaps in Play Store’s defenses as Google introduces new policies and Google Play Protect scales and adapts its defenses.

“They have at some point used just about every cloaking and obfuscation technique under the sun in an attempt to go undetected,” Guertin and Kotov said.

“Many of these samples appear to be designed specifically to attempt to slip into the Play Store undetected and are not seen elsewhere.”

Also read: Cost of GDPR Compliance for Singapore Companies

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us