- Joined
- Jun 28, 2020
- Messages
- 6,614
- Reaction score
- 715
- Points
- 212
- Awards
- 2
The new version of Joker is able to download additional malware to the device.
Security researchers at Check Point discovered a new version of the Joker malware (also known as Bread) that spreads as legitimate Android mobile apps and subscribes to paid services without the knowledge of users.
According to experts, Joker operators managed to find another way to bypass the Google Play Store protection - they hide the malicious DEX executable inside the application in the form of strings encoded in Base64, which are then decoded and downloaded to a compromised device.
Initially, the code that was responsible for communicating with the C & C server and loading the dex file was inside the main classes.dex file, but now the functionality of the classes.dex source file includes loading a new payload. Joker creates a new object that communicates with the C&C server and checks if the campaign is still active. After confirmation, he can prepare the download process of the malicious module.
To load the dex file, the method of reading it from the manifest file was used. When checking the manifest file, the experts discovered another metadata field that contained the Base64 encoded dex file. Thus, it was enough to read the data from the manifest file, decode the payload, and load the new dex file.
Experts during the study also found an “intermediate” option, which used the technique of hiding the .dex file in the form of strings encoded in Base64, but instead of adding the strings to the manifest file, they were located in the inner class of the main application. In this case, to run the malicious code, it was enough to read the lines, decode them and load with reflection.
According to experts, to subscribe users to premium services without their knowledge, Joker used two main components — the Notification Listener as part of the original application and the dynamic dex file downloaded from the C&C server to complete the registration.
First discovered in 2017, Joker is one of the most common types of Android malware that allows its operators to carry out fraudulent payments and has spyware capabilities, including theft of SMS messages, contact lists and device information.
Security researchers at Check Point discovered a new version of the Joker malware (also known as Bread) that spreads as legitimate Android mobile apps and subscribes to paid services without the knowledge of users.
According to experts, Joker operators managed to find another way to bypass the Google Play Store protection - they hide the malicious DEX executable inside the application in the form of strings encoded in Base64, which are then decoded and downloaded to a compromised device.
Initially, the code that was responsible for communicating with the C & C server and loading the dex file was inside the main classes.dex file, but now the functionality of the classes.dex source file includes loading a new payload. Joker creates a new object that communicates with the C&C server and checks if the campaign is still active. After confirmation, he can prepare the download process of the malicious module.
To load the dex file, the method of reading it from the manifest file was used. When checking the manifest file, the experts discovered another metadata field that contained the Base64 encoded dex file. Thus, it was enough to read the data from the manifest file, decode the payload, and load the new dex file.
Experts during the study also found an “intermediate” option, which used the technique of hiding the .dex file in the form of strings encoded in Base64, but instead of adding the strings to the manifest file, they were located in the inner class of the main application. In this case, to run the malicious code, it was enough to read the lines, decode them and load with reflection.
According to experts, to subscribe users to premium services without their knowledge, Joker used two main components — the Notification Listener as part of the original application and the dynamic dex file downloaded from the C&C server to complete the registration.
First discovered in 2017, Joker is one of the most common types of Android malware that allows its operators to carry out fraudulent payments and has spyware capabilities, including theft of SMS messages, contact lists and device information.
