The Joker malware is still capable of bypassing the Google Play defense.
The Joker malware, a spyware and premium dialer, has a vast range of capabilities; it is able to disable the Google Play Protect, display adds, write fake reviews and install malicious apps. The malware is also capable of stealing device data, SMS messages, and contact lists. The latest samples are reported to subscribe android users to premium services without permission.
Google has been dealing with joker malware since September 2019. they had to remove 24 apps from Play Store because of their infection with the joker.
In January 2020 Google reported that they have removed more than 1,700 apps that have been infected with Joker over the past three years but The joker malware constantly keeps changing; The latest samples have shown to be specifically designed to Dodges Google Play defense.
According to an analysis by Check Point, These newest samples are found in four apps; wallpaper, photo editing SMS and camera apps which were downloaded more than 130,000 times. These infected apps are:
Developers of the malware try to hide its range of operations and purpose by altering the used strings. Newly discovered samples indicate that the developers employed a simple XOR cipher with a static key in the strings which scan for an initial payload that if it does not exist, it would be downloaded from a command and control (C2) server. A function is discovered in Joker that allows the malware to read operator information and avoid the US and Canada
“Once all conditions are met, Joker contacts the payload’s C&C server, from which it loads a configuration.” “The configuration contains a new URL, for another payload to be loaded, and a class name with a method to be executed after downloading.” According to Check Point.
The Joker Malware enables experienced malicious attackers to successfully exploit android users since it made its way into the official stores and got downloaded almost every week since its launch.