Joker trojan found on Android store | Information age


Some people just want to watch the world burn. Photo: Shutterstock

Cyber ​​security researchers have discovered new malware on the Google Play Store.

Joker, named after one of the Trojan’s command and control domain names, provided a component that silently signed unintended users to premium subscription services.

It was packed into 24 apps that had been downloaded almost 500,000 times.

Google has since removed the apps from its store.

In a post on the CSIS Security Group blog, malware analyst Aleksejs Kuprins explains how the Trojan slowly siphoned off money from its victims.

“Automated interaction with advertising websites includes simulating clicks and entering authorization codes for premium service subscriptions,” said Kuprins.

“This strategy works by automating the necessary interaction with the premium offer’s web page, entering the operator’s offer code, then waiting for an SMS with a confirmation code and extracting it from there. using regular expressions.

“Finally, the Joker submits the extracted code to the offer’s web page, in order to authorize the premium membership.”

Kuprins said that $ 10 per week subscriptions were taken out through Joker and that it was targeting users in specific countries, including China, India, Australia, the United States and the United Kingdom. United.

Joker has targeted users from 37 countries.

Like the recent iPhone vulnerability, Joker was well built, sophisticated, and had the ability to monitor infected phones by scratching contacts and reading text messages.

“This malware kit stands out for its small size and silence,” said Kuprins.

“It uses as little Java code as possible and thus generates as little footprint as possible.

“Whenever the malware extracts a code from an SMS message, it also reports it to C&C when the job is done.

“Hypothetically, the botnet operator can create a job, which would result in the theft of all incoming SMS messages.”

He couldn’t attribute Joker to any particular developer, but Kuprins said the malware command and control centers and “some of the bot’s code comments” were written in Chinese – which could indicate the location of the developers. .

Screenshot of the login page for one of Joker’s online command and control centers.

In order to avoid getting bitten by malware, Kuprins said Android users should remain aware of what their apps can access.

“We recommend that you pay close attention to the list of permissions in the apps you install on your Android device,” he said.

“Obviously, there isn’t usually a clear description of why a certain app needs a particular permission, which means that whenever you download an app you are always relying on your intuition in to a certain extent. “

App-based malware may soon be a thing of the past with the upcoming introduction of subscription app stores.

Google has announced the upcoming release of the Google Play Pass which, like its rival Apple Arcade, will offer users a select set of apps that they can access for a monthly subscription.

Here is the full list of all apps affected by Joker:

Avocado wallpaper

Age Face

Altar message

Antivirus Security – Security Scan

Beach camera

Editing Table Images

Some wallpapers

Climate SMS

Assemble the face scanner

Cute camera

Dazzling wallpaper

Declare the message

Show camera

Excellent VPN

Humor Camera

Ignite clean

Sheet Face Scanner

Mini camera

Print factory scan

Fast face scanner

Reward Clean

Naughty SMS

Soby Camera

Sparkle wallpaper


Comments are closed.