Research Saturday 8.28.21
Ep 198 | 8.28.21

Joker malware family: not a joke for Google Play.


Dave Bittner: Hello everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Deepen Desai: So, Joker is one of the most prominent malware families that is targeting Android devices

Dave Bittner: That's Deepen Desai. He's Chief Information Security Officer and VP of Security Research and Operations at Zscaler. The research we're discussing today is titled, "Joker Joking in Google Play: Joker Malware Targets Google Play Store With New Tactics."

Deepen Desai: And it was primarily designed to steal SMS messages, contact lists, device information, you know, anything that the bad guys can take advantage of for financial gains. They'll also use the infected devices to sign the victim up for some of the premium services.

Dave Bittner: And so what drew your attention to Joker this round? Why a newly refreshed look at them?

Deepen Desai: Right, so the team has been tracking this family. It is still one of the more prevalent families. And what is slightly of concern is, I mean, despite increasing all the public awareness about this particular malware strain, it keeps finding its way into the Google Play Store by employing changes and code execution methods and the way they are retrieving those second- and third-stage payloads.

Deepen Desai: So, what we saw over the past three months was regular uploads of Joker payloads to the Google Play Store, and the team identified it using some of the automation that we've built in the labs. We reported over a dozen – or I should say close to a dozen malicious apps that were active on the Google Play Store. Android security team was awesome – they took rapid action, removed it. But as as part of the analysis that the team did, I mean, why did we see so many apps getting through?

Deepen Desai: What we noticed was they did two or three new changes in this latest wave. One of them is, they started using URL shortener services. If you're familiar with that, it's like, you know, using a shortener URLs like There are many other shortened URL service providers. So they will use that to point to that second-stage payload, which will then lead to a third-stage payload. It's multi-stage payloads leveraging URL shortener services.

Deepen Desai: The second change was they started using XOR encryption. XOR encryption is a type of encryption that's used to basically obfuscate those next-stage payloads.

Dave Bittner: Hmm.

Deepen Desai: And then they're also leveraging time-bound checks. So, you know, it's not like a user executes it and malicious code starts running right away. Instead, they will wait for a certain time before the actual detonation of the malicious code takes place on the target device.

Dave Bittner: Hmm

Deepen Desai: And then one last thing that the team also mentioned in the blog as well was, I mean, there is some level of screening that these malware authors are doing on the infected mobile devices before executing some of the malicious functionality.

Dave Bittner: Yeah, and I want to dig into details on some of those things that you mentioned. Before we get to that, I mean, you – the research leads off with a sort of a list of some of the names of the apps that were actually covering for Joker, and it struck me that, like, one of them is PDF Photo Scanner, there's PDF Converter Scanner. There's Private Message, Read Scanner, Print Scanner. You know, these seem to be the types of apps where I have an immediate need and I want to get that immediate need taken care of right now. So it strikes me that there's even a bit of a social engineering element here, where I might not be as careful with something if I'm – you know, I have a document in front of me and right now I need to scan this document – well, get me the scanner app that's at the top of that list.

Deepen Desai: Exactly. And you sort of do rely on, you know, vetting that are placed on the official Play Store will do for these apps. So, you're spot on – the majority of the malicious apps – in fact, the team found more than fifty malicious apps in last three months – and about forty percent of those were belonging to what we call "tools category," so, exactly that you mentioned. And then there were other categories that we noticed as well. I would say the top five categories were, in addition to tools, we saw health and fitness. I mean, most of us are home and everyone is trying to stay fit, you know, doing some of those workouts. There is photography app, there's personalization category apps, and then communication was the last one where we saw abuse happening with the fake apps being uploaded. And one of the common theme was each of these apps were, you know, generally these guys using, you know, the actual apps, icons, wallpapers, you know, nice-looking icons to target the victims.

Dave Bittner: And do the apps actually have the functionality that they advertise? Do they do the thing that they say they're going to do

Deepen Desai: No, in the majority of the cases they won't.

Dave Bittner: Hmm. So you download this, you you give it a run and basically nothing happens, but it's too late. You've been infected.

Deepen Desai: Yep.

Dave Bittner: Wow. Interesting. Another interesting thing that you all bring up here is you've been tracking the developer names, which is it seems as though they're using a systematic approach to kind of not have patterns for who the developers might be here.

Deepen Desai: Yeah. It wouldn't be surprising if they've automated some of the aspects over here. Obviously, Google is deploying a lot of stuff on their end as well to flag these kind of abuse accounts and abuse attempts of uploading these types of malicious payloads. And you're seeing equal evolution happening on the bad guys' side as well. And these guys need to be making good amount of profit, because another thing that we noticed was, you know, the eleven payloads that were flagged very recently, there was a lot of changes in the coding style in the modules that we saw. So they are actively putting in time and, you know, evolving the malware – the way it executes, the way it's coded, the way it's being delivered. And so we wouldn't be surprised if we keep seeing more and more stuff in the coming months as well.

Dave Bittner: One of the things you highlight in the research is some changes that you've tracked when it comes to the command-and-control servers, those interactions. Can you take us through what you're seeing?

Deepen Desai: Yeah. So, on the C&C communications side, what we saw – one was they were making use of the shortened URL services for hosting the multi-stage payloads. They also started using different encryption methods, like AES, for hiding the multi-stage payloads and also for doing C&C communication. And some of the previous variants that we saw, the C&C communication was plaintext, and it was easy to fingerprint and flag and block. So that was another change that we noticed. And like I said, it's part of that active evolution of this malware family that we're tracking in this newer variant.

Dave Bittner: Can you walk us through the execution flow here? I mean, they come at you in multiple steps.

Deepen Desai: The typical execution flow starts with, as you mentioned at the start of the interview, you would be looking out for an app that you're looking to download to solve a certain problem, whether it's tools, whether it's health and fitness. You would go look it up on the Play Store, download it, it gets downloaded to that URL shortener service. That will lead to download of stage one, stage two, and then the final payload, which is the actual malicious payload. And then what they are doing as part of this campaign is they're using the – they're abusing the notification access piece. So once installed, the malware will prompt for notification access to the user, and then the notification access basically grants permission to read all notifications posted by the devices and any other installed applications as well. This is basically what is used to steal sensitive information from the impacted device.

Dave Bittner: Now, one of the things that you pointed out is that this malware will look for the presence of some other apps. What do you think is going on with that?

Deepen Desai: Yes, that's a common tactic that you see on lot of, you know, PC malware, where they will look for presence of security applications, they will also look for the presence of a previous variant of the same malware infection. And in some cases, you know, malware belonging to a competition, if that was installed. Now, in this case, what we noticed was that that functionality was just limited to flagging if there was a previous infection already. But it wouldn't be surprising if they add additional checks leveraging that same routine, because now they have access to all the applications running on the device, they can use that to perform additional operations.

Dave Bittner: Now, help me understand here. I mean, is it the case that when you have an app that you're putting on the Google Play Store, for example, and that app has functionality for downloading multiple payloads as part of its installation process or, you know, its normal range of operations – would it be accurate to say that that's a fairly straightforward way for a malware operator to get something on to a system? Where, for example, you could have, you know, one payload while you're submitting your app to Google Play to say, hey, here's our app, this is what it's about, scan it, you know, have at it, do all of your safety checks. And then once you're on the store, can you then change the contents of those payloads, and off you go?

Deepen Desai: Yeah, and that is exactly what a lot of these malware authors abuse. Obviously the Play Store Android security team will have some level of vetting happening on a regular basis wherever there is a network URL being reached out by some of the apps. But the scale at which, you know, they are operating as well, there's millions of apps out there. It's a hard problem to solve.

Dave Bittner: Right, right. So what are your recommendations then? I mean, if I'm someone going about my business using my Android device, how do I make sure that I don't fall victim to these sorts of things?

Deepen Desai: Yeah. So, one of the common recommendations we always give is stick to the official Play Store. But you would say, hey, in this case, that's where you found all the malware. So the next thing I would do is look at the author that uploaded the app. You would be able to tell the difference between the ones that are trusted, have been around for a long time. I would even go ahead and look at the comments that are posted. In a lot of these infected apps, what you will see is the functionality is not being delivered as promised. So you will see some angry users posting comments as well. And those are all telltale signs on, you know, whether you can trust an app or not. Do not just search and download the first app you see in the results, because that's basically what these guys are trying to take advantage of.

Dave Bittner: Our thanks to Deepen Desai from Zscaler for joining us. The research is titled, "Joker Joking in Google Play." We'll have a link in the show notes.

Dave Bittner: The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Tre Hester, Elliott Peltzman, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.