Google has a security team responsible for keeping the Google Play Store clean, but sometimes some type of code appears that gives the account more headaches. This is the case of ‘Joker ‘, a malware that has been circulating on Android for some time and that he keeps changing his code to continue to hide from Google Play Protect searches.
“Joker,” also known by his original man, “Bread,” reappeared in January when Google removed 24 other apps, despite his Google Play Play record being up to three years old. Now he reappears and was chased with more changes on board. Joker is now able to download and install files on the phone.
‘Joker’ evolves to continue evading Google police
Originally, “Joker” was funded by subscribing to premium SMS services which, if not detected in time, have worryingly inflated our phone bills. By January, the malware had changed through various code changes, and WAP billing was mainly used. A payment method for operators already unused but still active, and which was used by “Joker” to keep spending our money.
‘Joker’ continues to be tweaked from time to time to bypass Google Play Protect’s security checks and hide in seemingly legitimate apps, but at Check Point Research They found him, publishing their findings in a public report that you can view here.
The new updated version of “Joker” is able to download additional malware on our Android phones and tablets, malware that in turn subscribes to premium services costing affected users. In the latest detection, Check Point Research located up to 11 different package names in different apps that Google has already removed from the Play Store.
“Joker, one of the most prominent types of malware on Android, continues to make its way into the official Google app marketplace due to small changes to its code, which allows it to overcome security barriers and Play Store verification. […] This time, however, the evil actor behind Joker has taken an ancient technique from the conventional PC threat landscape and used it in the world of mobile applications to avoid detection by Google, ”says Check Point Research in its report.
Apparently, the new “Joker” code, very similar to the one detected previously, would have used a technique widely used in Windows, the one allowing to hide the fingerprint of your code hiding the DEX file at the time of the mark. Either way, ‘Joker’ has been detected again and the apps related to this new iteration of its code have been removed. But knowing his record to date, it is certain that we will see him again in the coming months.
Source : Frandroid