Android Malware Alert

A report was just released regarding malware that targets Android, called Joker. This malware has been around since 2016, but it continues to be one of the major threats to Android devices. It can steal SMS messages, Contact lists, and device information. It can also sign up users for pricey subscription services such as Wireless Application Protocol (WAP) services. This malware gets added to applications that can be downloaded from the Google Play Store, and though Google has removed many of those apps, the malware keeps coming back. So how does it do what it does?

How it works

The apps that get the Joker malware are essentially “knock-offs” of legitimate apps that can fool people into downloading them. They do not directly contain the malware, instead they contain what is called a “dropper”, code which at some future time days or weeks later will contact a remote site and then download the actual malware. This dropper code is heavily obfuscated in a variety of ways. Sometimes the code is AES encrypted, other times it masquerades as legitimate files that are common in other applications such as JSON files and CSS. The download is frequently a *.dex file (Dalvik Executable) which is the native format now for Android applications. Joker can also use code injection to hide inside of legitimate third-party packages that reside on an Android phone, such as org.junit.internal,, or com.unity3d.player.UnityProvider. The security research firm Zscaler issued the most recent report on this, and they explained some of the methods Joker uses to download the malware.

Direct Download

In this scenario, a URL is hidden in the code via string obfuscation. This is a technique for hiding executable code by making it hard for the code to be detected. The Sucuri site gives the example of calling PHP to execute the commands where the functions are broken up into 2-3 character chunks, each chunk inside single quotes, and separated by periods. PHP will then join the chunks, remove the single quotes, and execute the function just created.

Once the URL has been “decoded”, the app will contact a Command and Control (C&C) server to get another URL which will take them to the final download of the malware payload. It also supplies a JSON file that has the configuration information for the final download. Once the JSON file is downloaded and executed, the final download takes place.

One-Stage Download

This variant downloads a stager payload first, which then leads to the final download. The URL for the stager payload is encoded using AES encryption. There are two varieties of stager payload that Zcaler has noted, either an APK file or a *.dex file. This stager is responsible for obtaining the URL for the final payload download. The stager is also responsible for executing the final payload.

Two-Stage Download

In this variant, the infected app executes code to contact the C&C server, which replies by sending a message with the URL for the first stager payload which it hides in the location header. The first stager payload is downloaded and executed, which then downloads the second stager payload, which in turn contains the hard-coded URL for the final payload. That is then downloaded.

Final Payload

Regardless of the download method, the final payload of malware is the same. To begin with, it uses DES encryption to execute the C&C activities. And it uses string obfuscation techniques to hide all important strings.

If you want a more detailed description of all the things the final payload does, you can check this site using a browser that can translate from Chinese to English.

What can you do?

Given that this malware has been infecting apps in the Google Play Store for 5 years now, it does not seem like someone else is going to fix the problem. The Zscaler report says that Google has removed these apps, but cannot remove them from your phone if you had the misfortune to download one of them. Using an anti-malware app on your phone may help, but the techniques Joker uses to hide make it challenging to detect and remove.

Step one is to check if you have one of these apps and remove it manually from your phone. You can see the latest batch of 17 apps Zscaler found at this Web page. Once that is done, there are some common sense precautions you can take.

  • Be careful to only download and install apps that serve a genuine need. Downloading lots of apps willy-nilly will only increase your attack surface.
  • Carefully check the history of the app. If it is fairly new and has relatively few downloads, you should probably steer clear. Remember that Google does remove these apps from the Play Store as soon as they are aware of them, so they don’t tend to last long.
  • Stick with developers that have a good reputation and track record.
  • For apps you rarely use or haven’t used recently, consider uninstalling them. Remember it is about the size of the attack surface.
  • Pay attention to permissions. Every time you install an app, it asks you for permissions to do things. Most people just click OK without paying attention, and that is what malware authors rely on. If a solitaire app asks for permission to access your Contacts list and your SMS, you probably shouldn’t allow it.
  • Manage your existing permissions. A good thing Android 11 does is to allow you to remove permissions for apps you haven’t used in a while. You can read more about this and how to manage permissions in this TechRepublic article.


 Save as PDF