The threat actor behind the Joker Android malware has once again succeeded to successfully slip spyware infected apps onto the Play Store, Google's official Android app store. [...]
A new variant of Joker successfully slipped into the Play Store and infected Android users after hiding the malicious payload as a dex file hidden in the form o Base64 encoded strings within seemingly benign apps' AndroidManifest files (used to provide Android build tools, the Android OS, and the Google Play Store with essential info about the apps).
This allows the malware to successfully avoid detection while being analyzed during the submission process and to eliminate the need to connect to a command-and-control (C2) server to download the malicious components onto the compromised devices.
In all, Check Point researchers who spotted the new Joker variant reported 11 apps to Google, applications that were removed from the official Android marketplace by April 30, 2020.
Check Point's Manager of Mobile Research Aviran Hazum says that the new method of infection used by Joker includes the following three steps:
1. Build payload first: Joker builds its payload beforehand, inserting it into the Android Manifest File.
2. Skip payload loading: During evaluation time, Joker does not even try to load the malicious payload, which makes it a lot easier to bypass Google Play Store protections.
3. Malware spreads: After the evaluation period, after it’s been approved, the campaign starts to operate, malicious payload decided and loaded