Last Updated on 22/11/2021 by TheDigitalHacker
A new batch of Joker malware variants has been identified spreading via the Play Store. These variations employ clever tactics to circumvent detection by Google’s malware detection engine.
The new variations were identified by Cyble Research Labs and are aimed towards Thai Android users. The virus uses mobile data to visit cellular webpages (payment endpoints) and conduct illicit payment activities. It also steals OTPs, which are used as transaction authentication. To carry out harmful acts, the versions employ a variety of obfuscation methods and multi-stage payloads.
To disseminate the new variations, the attackers constructed malicious apps that masqueraded as ordinary, legitimate programmes. In recent assaults, one Joker version was seen taking advantage of the popularity of the Squid Game to entice unsuspecting victims. In another example, the malicious programme masqueraded as an official LED flasher app, which employs LED to notify users of incoming calls and SMSs.
The latest edition in the flasher app employs three multi-stage payloads to carry out destructive actions. Furthermore, this variation demands 18 distinct permissions from Android, three of which are used by the virus. Initially, the variation employs an APK file that loads a shared object (.so) file, which then downloads and loads the APK file. A code for downloading the first-stage payload is concealed in the.so file. The payload in the second stage is an APK file containing code to collect OTPs via the notification listener service. The payload is a Jar file with a billing fraud code in the final step.
For Android users, the Joker virus is a clever and severe menace. Furthermore, malware producers are always employing new tactics to escape detection, such as multi-stage payloads. To keep safe, experts advise avoiding programs from untrustworthy third-party sources and monitoring the activity of installed apps.
