The infamous Joker malware is hidden in the Android manifest file –– this file contains all the necessary information for the application to work. Each application contains this file. Thanks to this, Joker imperceptibly subscribes victims to paid services.

A team of researchers at Check Point Research talked about a new way that Joker uses to bypass Google Play Store security mechanisms. It was first discovered in 2017: this spyware can access notifications, read and send SMS messages. Joker uses these features to seamlessly subscribe victims to paid services. Google characterizes this malware as an ongoing threat that it has encountered over the past few years. According to Google, Joker tried almost every masking technique to go unnoticed.

Check Point researcher Aviran Hazum recently revealed a new way to use Joker. This time, the Joker malware hides the malicious code inside the Android manifest file in legitimate applications. The manifest file is located in the root folder of each application, it provides important information about the application that the Android system requires: name, icon and permissions for the Android system. Only after receiving this information, the system can execute any application code. Thus, malware does not require access to a C&C server controlled by cybercriminals. Typically, this server is used to send commands to infected systems that are already compromised by malware to download the payload — the part of the malware that does the bulk of the work.

The new method of applying Joker can be divided into three stages.

1. Creating payload. Joker preloads the payload by inserting it into the Android manifest file.
2. Deferred payload loading. During the evaluation, Joker does not even try to download a malicious payload – this greatly facilitates bypassing the Google Play Store security features.
3. Malware distribution. After the Google Play Store security services approve the application, a malicious campaign begins to work –– the payload is detected and loaded.

Researchers at Check Point responsibly disclosed their findings to Google. All claimed applications (11 applications) were removed from the Play Store by April 30, 2020.

“Joker is constantly changing, adapting to new conditions. We found that it is hiding in a file with the necessary information, a file that is contained in each Android application, ”says Aviran Hazum, mobile research specialist at Check Point Software Technologies. –– Our latest research shows that Google Play Store protection is not enough. We weekly spotted numerous instances of Joker uploading to Google Play — each of which was produced by unsuspecting users. Joker malware is hard to detect despite Google’s investment in Play Store security. Although Google has now removed the malicious applications from the Play Store, it can be assumed that Joker will return again. It is desirable for each user to know about this program and understand how it is possible to suffer from it. ”

Protection methods

If you suspect that your device may have one of these infected applications:

• Remove the infected application from the device.
• Check all accounts: your mobile operator balance, credit cards. You need to find out if you are subscribed to any paid subscriptions, and if you do not need it, cancel the subscription.
• Install a security solution to prevent further infections.