Ad End 1 February 2024
Ad Ends 13 January 2025
Ad End 26 February 2025
ad End 25 April 2025
Ad Ends 20 January 2025
Ad expire at 5 August 2024
banner Expire 25 April 2025
What's new
banner Expire 15 January 2025
banner Expire 20 October 2024
UniCvv
casino
swipe store
adv exp at 23 August 2024
Carding.pw carding forum
BidenCash Shop
Kfc CLub

Joker malware spreads again through Google Play Store

File_closed07

TRUSTED VERIFIED SELLER
Staff member
Joined
Jun 13, 2020
Messages
7,545
Reaction score
916
Points
212
Awards
2
  • trusted user
  • Rich User
The new version of Joker is able to download additional malware to the device.




Security researchers at Check Point discovered a new version of the Joker malware (also known as Bread) that spreads as legitimate Android mobile apps and subscribes to paid services without the knowledge of users.

According to experts, Joker operators managed to find another way to bypass the Google Play Store protection - they hide the malicious DEX executable inside the application in the form of strings encoded in Base64, which are then decoded and downloaded to a compromised device.

Initially, the code that was responsible for communicating with the C & C server and loading the dex file was inside the main classes.dex file, but now the functionality of the classes.dex source file includes loading a new payload. Joker creates a new object that communicates with the C&C server and checks if the campaign is still active. After confirmation, he can prepare the download process of the malicious module.

To load the dex file, the method of reading it from the manifest file was used. When checking the manifest file, the experts discovered another metadata field that contained the Base64 encoded dex file. Thus, it was enough to read the data from the manifest file, decode the payload, and load the new dex file.

Experts during the study also found an “intermediate” option, which used the technique of hiding the .dex file in the form of strings encoded in Base64, but instead of adding the strings to the manifest file, they were located in the inner class of the main application. In this case, to run the malicious code, it was enough to read the lines, decode them and load with reflection.

According to experts, to subscribe users to premium services without their knowledge, Joker used two main components — the Notification Listener as part of the original application and the dynamic dex file downloaded from the C&C server to complete the registration.

First discovered in 2017, Joker is one of the most common types of Android malware that allows its operators to carry out fraudulent payments and has spyware capabilities, including theft of SMS messages, contact lists and device information.
 
Ad End 1 February 2024
Top