Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Joker malware. Show all posts

Harley Trojan Affecting the Users by Impersonating the Applications

 

There are numerous unpatched malwares hidden under the apps in the Google Play Store that seem to be harmless but are actually malicious programs. Google Play Store is an official platform that runs every process with careful monitoring carried out by the moderators. However, some apps may evade the moderator's check since it's not possible to check all the apps before they go live on the platform. 

One such popular malware, called Trojan Subscribers has been discovered by Kaspersky. It affects the users by signing up for paid services without their knowledge. The malware exhibits similarities with the Jocker Trojan subscriber, experts presume that the two have a common origin. 

A trojan is a malicious code or software that gets downloaded onto a system, disguised as an authorized application. 

In the past 3 years, over 190 apps have been found infected with Harly Trojan on the Google play store, and the number of downloads of such apps is more than 4.8 million.  

To spread the virus to different systems, the threat actors download the original applications and place their malicious code into them and later re-upload them to Google Play Store with some other name. 

The attackers play smart by keeping the same features in the app as listed in the description so that the users do not suspect a threat. The impersonating of legitimate apps also provides advertisement. 

The Trojan malware belonging to the Harley family includes a payload inside the application and uses numerous methods to decrypt and execute the payload. 

After the decryption, the Harley gathers information about the user’s device including the mobile network. By connecting to the mobile network, the malware opens up a list of subscription addresses from a C&C server, where it automatically enters the user's mobile number followed by other options to continue the process, including the OTP from messages. As a result, the user ends up with a paid subscription for a service without their knowledge or consent.  

To avoid being a victim of such apps, anti-virus experts suggest looking for reviews of the applications before downloading them. Google has been notified about such apps and asked to remove all the Trojan-infected apps from the platform and devices that are infected with them. 

Joker Virus is Back, Targeting Android Devices

 

The notorious Joker has made a comeback, according to Belgian police, who cautioned about the Joker Virus that only targets Android smartphones and lurks in numerous apps available on the Google marketplace known as Play Store. 

The Joker malware is among the most tenacious and annoying viruses for Android, and it is even capable of infecting people through the use of the Google Play Store since it is disguised within defenseless apps. This Joker software can completely deplete victims' bank account of all funds. The 'Joker' Trojan infection is part of the Bread malware family, whose primary goal is to hijack cell phone bills and allow activities without the user's knowledge. 

As per experts at cybersecurity firm Quick Heal Security Lab, the Joker virus could access user smartphone's text messages, contact information, and a variety of other data, enabling it to enroll in websites providing premium services. Due to this users face the danger of receiving a large bill from their bank or credit card at the end of the month. 

"This malicious program has been detected in eight Play Store applications that Google has suppressed," stated the Belgian authorities in a statement published on Friday 20th August on their website. 

The 'Joker' malware made headlines in 2017 for attacking and stealing data from its victims while masquerading in several applications. Since that day, Google Play Store defense systems have deleted approximately 1,700 apps containing the 'Joker' malware before they could be installed by users. The 'Joker' virus was discovered in 24 Android applications in September 2020, with over 500 thousand downloads before even being deactivated. It is suspected that more than 30 countries were impacted at the time, along with the United States, Brazil, and Spain. Hackers might take up to $7 (approximately 140 Mexican pesos) per subscription weekly via illicit memberships, an amount that has most certainly escalated in recent months. 

According to La Razón, the cybersecurity firm Zscaler has publicly revealed the names of 16 other apps that, according to its investigation, also include this dangerous code: Private SMS, Hummingbird PDF Converter - Photo to PDF, Style Photo Collage, Talent Photo Editor - Blur focus, Paper Doc Scanner, All Good PDF Scanner, Care Message, Part Message, Blue Scanner, Direct Messenger, One Sentence Translator - Multifunctional Translator, Mint Leaf Message-Your Private Message, Unique Keyboard - Fancy Fonts & Free Emoticons, Tangram App Lock, Desire Translate and Meticulous Scanner. 

Initially, apps infected with 'Joker' or another Malware from any of this family committed SMS fraud but soon began to target electronic payments. These two strategies make use of telephone operators' interaction with suppliers to permit service payment via the mobile bill. Both necessitate device authentication but not human verification, allowing them to automate transactions without requiring any user participation. 

In addition, it is typical for all those impacted by 'Joker' to be unaware of the theft unless they thoroughly study their bank statements. It's because the bank does not detect an evidently 'regular' membership and, in general, the charges are so little that they are not noticed as odd movements, therefore the account holder does not even send a traffic notification. 

Furthermore, the malicious applications that the Google Play Store removed upon discovering that they carried the 'Joker' virus are as follows: Auxiliary Message, Element Scanner, Fast Magic SMS, Free Cam Scanner, Go Messages, Super Message, Super SMS, and Travel Wallpapers.

Updated Joker Malware Floods into Android Apps

 

The Joker mobile virus has made its entry back on Google Play with an increase in malicious Android apps that mask the billing fraud software, according to researchers. It's also employing new techniques to get beyond Google's app vetting process. 

Joker has been hiding in the shadows of genuine programs including camera apps, games, messengers, picture editors, translators, and wallpapers since 2017. Once installed, Joker applications discreetly simulate clicks and intercept SMS messages to sign victims up for unwanted, paid premium services controlled by the attackers - a kind of billing fraud known as "fleeceware". 

Malicious Joker applications are widely available outside of the official Google Play store, and they've been escaping Google Play's safeguards since 2019. This is mostly due to the malware developers' constant modification of their attack approach. As a result, periodic waves of Joker infections have occurred within the official store, including two large outbreaks last year. 

Over 1,800 Android applications infected with Joker have been deleted from the Google Play market in the previous four years, according to Zimperium experts. Since September, at least 1,000 new samples have been discovered in the newest wave, with many of them making their way into the legitimate market. 

According to a Zimperium analysis, “Malicious actors have routinely found new and unique ways to get this malware into both official and unofficial app stores. While they are never long for life in these repositories, the persistence highlights how mobile malware, just like traditional endpoint malware, does not disappear but continues to be modified and advanced in a constant cat-and-mouse game.” 

According to Zimperium, the developers of the most recent versions of Joker, which first appeared in late 2020, are using legitimate developer techniques to “try and hide the actual intent of the payload from traditional, legacy-based mobile security toolsets,” which allows them to escape both device-based security and app store protections. 

Flutter, a Google-developed open-source app development kit that allows developers to create native apps for mobile, web, and desktop from a single codebase, is one way they're accomplishing it. The researchers explained, “Due to the commonality of Flutter, even malicious application code will look legitimate and clean, whereas many scanners are looking for disjointed code with errors or improper assemblies”. 

New techniques: 

Another anti-detection method recently implemented by Joker enthusiasts, according to the research, is the habit of embedding the payload as a.DEX file that may be obfuscated in a variety of ways, such as being encrypted with a number or buried inside a picture via steganography. 

According to researchers, the picture is sometimes stored in authorized cloud repositories or on a remote command-and-control (C2) server in the latter scenario. Other new behaviors include hiding C2 addresses with URL shorteners and decrypting an offline payload using a mix of native libraries. 

The new samples also take further steps to remain covert when a trojanized program is loaded, according to researchers. “After successful installation, the application infected with Joker will run a scan using Google Play APIs to check the latest version of the app in Google Play Store,” researchers explained. 

“If there is no answer, the malware remains silent since it can be running on a dynamic analysis emulator. But if the version found in the store is older than the current version, the local malware payload is executed, infecting the mobile device. If the version in the store is newer than the current one, then the C2s are contacted to download an updated version of the payload.” 

Consumers and enterprises alike at risk:

The apps are appearing in a variety of places, including Google Play and unauthorized third-party markets, as well as other legitimate channels, some for the first time. For example, the official app store for Huawei Android, AppGallery, was recently discovered to be infected with the Joker virus. 

According to Doctor Web, the applications were downloaded to over 538,000 smartphones by unsuspecting users in April. 

Saryu Nayyar, CEO at Gurucul, stated in the email, “Sadly, the Joker malware is no joke. And even more depressing, no dark knight is going to ride in to save users from these malicious apps. Users have to manually clean their devices of this pesky malware. The good news is that it appears the only damage is financial and likely temporary. Users who have been subscribed to premium mobile services as a result of this malware can request refunds for said services since the affected applications are known.” 

Earlier this year, Josh Bohls, CEO and founder at Inkscreen, said that Joker is an issue for businesses as well as people. “These malicious applications can find their way into the enterprise when an infected device is enrolled in a company’s bring-your-own-device (BYOD) program, and suddenly you have a new threat vector,” he told via email.

Joker Malware Targeting Android Users Again

 

Recently Joker virus has been discovered in a few Google Play Store apps. The malware infiltrates a user's device through applications, collects data, and then subscribes these users to premium memberships without the individual's consent or agreement. 

Since three years, the Joker Trojan malware has been discovered in Google Play Store apps. In July 2020, the Joker virus infected over 40 Android apps available on Google Play Store, forcing Google to remove the compromised apps from the Play Store. Users' data is stolen, including SMS, contact lists, device information, OTPs, and other major data.

Quick Heal Security Labs recently discovered 8 Joker malware on the Google Play Store. These eight apps were reported to Google, and the company has since deleted them all from its store. 

The following are the eight apps that have recently been discovered to be infected with the Joker Trojan virus and should be deleted from any Android device: 
-Auxiliary Message 
-Fast Magic SMS 
-Free CamScanner 
-Super Message 
-Element Scanner 
-Go Messages 
-Travel Wallpapers 
-Super SMS 

Through SMS messages, contact lists, and device information, the Joker Trojan collects information from the victim's device. The Trojan then interacts discreetly with advertising websites and, without the victim's knowledge, subscribes them to premium services. 

According to the Quick Heal report, these applications request notification access at launch, which is then utilised to obtain notification data. After that, the programme takes SMS data from the notification and requests Contacts access. When permission is granted, the app makes and manages phone calls. Afterwards, it keeps working without displaying any suspicious attacks to the user. 

“Joker is one of the most prominent malware families that continually targets Android devices. Despite awareness of this particular malware, it keeps finding its way into Google’s official application market by employing changes in its code, execution methods, or payload-retrieving techniques. This spyware is designed to steal SMS messages, contact lists, and device information along with silently signing up the victim for premium wireless application protocol (WAP) services,” Zcaler stated in a blog post.

500,000 Huawei Devices hit by the Joker Malware

 

Security researchers have discovered that over 500,000 Huawei smartphone users who inadvertently subscribe to premium mobile services have downloaded apps contaminated by the Joker malware. For the past couple of years the malware family of Joker has infected apps on Google's Play Store, but it is the first time on Huawei phones. Using the company's in-house platform - App Gallery, Huawei users are not actually able to access the Google Play Store due to business restrictions in the USA. Researchers also discovered in the App Gallery some 10 apparently harmful applications containing malicious command and control server connectivity code for installation and additional components. 

A source noted that “Doctor Web’s virus analysts have uncovered the first malware on App Gallery―the official app store from the Huawei Android device manufacturer. They turned out to be dangerous Android. Joker trojans function primarily to subscribe users to premium mobile services. In total, our specialists discovered that 10 modifications of these trojans have found their way onto App Gallery, with more than 538,000 users having installed them.”

However, the researchers mentioned that the malware might subscribe the user to up to five services, but that restriction could also be changed at any time by the threat actor. Digital keyboards, a camera app, a launcher, an online messenger, an adhesive set, coloring programs, and a game were included in the malicious applications list. Most of the applications were developed by one (Shanxi Kuailaipai Network Technology Co., Ltd.) developer and two from separate developers. More than 538,000 Huawei users have installed these 10 applications, as per the Doctor Web’s reports. 

Doctor Web notified Huawei of these applications and the company detected and removed them from the App Gallery. Although new users cannot download them anymore, whereas if the applications were on the devices of other users then they must be cleaned manually. Upon being enabled, the malware transmits a configuration file to the remote server, including a task list, premium service websites, and JavaScript which imitates user interaction states the researchers. 

The history of Joker malware goes back to 2017 and has consistently made its way through the Google Play store distributed games. In October 2019, Kaspersky Malware Researcher Tatyana Shishkova tweeted over 70 compromise applications that made it official. And the malware reports in Google Play continued to surge. In early 2020, Google announced the removal of some 1,700 Joker-infected applications. Joker remained in the shop last February and even in July of last year he still slips through Google's defenses.