Joker malware returns to target millions more Android devices

Slight tweaks were all that was needed to beat automated defenses

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

The notorious Jokermalwarehas once again found its way into the officialGoogle Play Storeby making subtle tweaks to get past automated checks, reports have claimed.

The Joker family of malware has been infectingapps on Google’s Play Storefor the last few years, and has even cropped up onother prominent app storessuch asHuawei’s.

“Despite awareness of this particular malware, it keeps finding its way into Google’s official application market by employing changes in its code, execution methods, or payload-retrieving techniques,” suggests researchers fromcloud securityfirm Zscaler.

We’re looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won’t take more than 60 seconds of your time, and you can also choose to enter the prize draw to win a $100 Amazon voucher or one of five 1-year ExpressVPN subscriptions.

Click here to start the survey in a new window«

Zscaler suggests that the Jokerspywareis designed to steal SMS messages, contact lists, and device information and will also silently sign up victims to premium wireless application protocol (WAP) services.

Stay vigilant

Stay vigilant

Zscaler’s team has had its eye on Joker for some time now, and were recently alerted by a spate of uploads on the Play Store. After verifying the presence of the malware, the researchers alerted the Google Android Security team, which promptly removed over a dozen suspicious apps flagged by the researchers.

In their analysis of this latest Joker strain, Zscaler notes that the malware employs three different tactics to bypass Google Play’s vetting process.

One involves directly embedding the URL of the command and control (C2) server in the code itself masquerading it with the help of string obfuscation. Other techniques involve downloading one or two stager payloads, whose URLs are AES encrypted to make them illegible.

Are you a pro? Subscribe to our newsletter

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

The final payload of all three tricks is the malicious code that employs DES encryption to execute its malicious spyware activities.

Given the ease with which the malware managed to sneak past Google’s filters, the researchers suggest users to be alert and always pay close attention to the permission sought by apps they want to install, keeping their eyes peeled for “risky permissions” related to messages, call logs, contacts, and other sensitive areas on the device.

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

NYT Strands today — hints, answers and spangram for Sunday, November 10 (game #252)