CyberWire Daily - Joker malware family: not a joke for Google Play. [Research Saturday]

Starting point is 00:00:00 You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com. Hello, everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities,

Starting point is 00:01:10 solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us. So Joker is one of the most prominent malware families that is targeting Android devices. That's Deepan Desai. He's Chief Information Security Officer and VP of Security Research and Operations at Zscaler. The research we're discussing today is titled Joker Joking in Google Play. Joker Malware Targets Google Play Store with new tactics. And now a message from our sponsor Zscaler, the leader in cloud security. Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record payout in 2024.

Starting point is 00:02:16 These traditional security tools expand your attack surface with public-facing IPs that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps and IPs invisible, eliminating lateral movement, connecting users only to specific apps, not the entire network. Continuously verifying every request based on identity and context. Simplifying security management with AI-powered automation. And detecting threats using AI to analyze over 500 billion daily transactions. Hackers can't attack what they can't see.

Starting point is 00:02:59 Protect your organization with Zscaler Zero Trust and AI. Learn more at zscaler.com security. to steal SMS messages, contactless device information, you know, anything that the bad guys can take advantage of for financial gains. They'll also use the infected devices to sign the victim up for some of the premium services. And so what drew your attention to Joker this round? Why a newly refreshed look at them? Right, so the team has been tracking this family. It is still one of the more prevalent families.

Starting point is 00:03:55 And what is slightly of concern is, I mean, despite increase in all the public awareness about this particular malware strain, it keeps finding its way into the Google Play Store by employing changes in code, execution methods, and the way they are retrieving those second and third stage payloads. So what we saw over the past three months was regular uploads of Joker payloads to Google Play Store. And the team identified it using some of the automation that we built in the labs. We reported over a dozen, or I should say close to a dozen malicious apps that were active on Google Play Store. Android security team was awesome. They took rapid action, removed it. But as part of the analysis that the team did,

Starting point is 00:04:51 why did we see so many apps getting through? What we noticed was they did two or three new changes in this latest wave. One of them is they started using URL shortener services. If you're familiar with that, it's like using the shortened URLs like bit.ly.

Starting point is 00:05:14 There are many other shortened URL service providers. So they will use that to point to that second stage payload, which will then lead to a third stage payload. It's a multi-stage payloads leveraging URL shortener services. The second change was they started

Starting point is 00:05:30 using XOR encryption. XOR encryption is a type of encryption that's used to basically obfuscate those next stage payloads. And then they are also leveraging time-bound checks. So it's not like user executes it and then they are also leveraging time-bound checks. So it's not like user executes it and the malicious code starts running right away. Instead, they will wait for a certain time

Starting point is 00:05:55 before the actual detonation of the malicious code takes place on the target device. And then one last thing that the team also mentioned in the blog as well was, I mean, there is some level of screening that these malware authors are doing on the infected mobile devices before executing some of the malicious functionality.

Starting point is 00:06:19 Yeah, and I want to dig into details on some of those things that you mentioned. Before we get to that, I mean, the research leads off with sort of a list of some of the names of the apps that we're actually covering for Joker. And it struck me that like one of them is PDF Photoscanner. There's PDF Converter Scanner. There's Private Message, Read Scanner, Print Scanner. scanner, there's a private message, read scanner, print scanner. You know, these seem to be the types of apps where I have an immediate need and I want to get that immediate need taken care of right now. So it strikes me that there's even a bit of a social engineering element here where

Starting point is 00:06:58 I might not be as careful with something. If I'm, you know, I have a document in front of me and right now I need to scan this document, well, get me the, you know, the scanner app that's at the top of that list. Exactly. And you sort of do rely on, you know, the vetting that the Play Store, the official Play Store will do for these apps. So you're spot on. Majority of the malicious apps, in fact, the team found more than 50 malicious apps in last three months. And about 40% of those were belonging to what we call tools category, right? So exactly that you mentioned. And then there were other categories that we noticed as well.

Starting point is 00:07:40 I would say the top five categories were, in addition to tools, we saw health and fitness. I mean, most of us are home and everyone is trying to stay fit, you know, doing some of those workouts. There is photography app, there's personalization category apps, and then communication was the last one where we saw abuse happening with the fake apps being uploaded. And one of the common themes was each of these apps were generally disguised using the actual apps, icons, wallpapers, nice-looking icons to target the victims. And do the apps actually have the functionality that they advertise? Do they do the thing that they say they're going to do? No, in majority of the cases, they won't.

Starting point is 00:08:36 So you download this, you give it a run, and basically nothing happens, but it's too late. You've been infected. Yep. Wow. Interesting. Another interesting thing that you all bring up here is you've been tracking the developer names, which it seems as though they're using a systematic approach to kind of not have patterns for who the developers might be here.

Starting point is 00:09:02 Yeah, it wouldn't be surprising if they have automated some of the aspects over here. Obviously, Google is deploying a lot of stuff on their end as well to flag these kind of abuse accounts and abuse attempts of uploading these type of malicious payloads.

Starting point is 00:09:21 And you're seeing equal evolution happening on the bad guy's side as well. And these guys need to be making a good amount of profit because another thing that we noticed was the 11 payloads that were flagged very recently, there was a lot of changes in the coding style. So the modules that we saw, they are actively putting in time in evolving the malware, the way it executes, the way it's coded, the way it's being delivered. And so we wouldn't be surprised

Starting point is 00:09:53 if we keep seeing more and more stuff in the coming months as well. One of the things you highlight in the research is some changes that you've tracked when it comes to the command and control servers, those interactions. Can you take us through what you're seeing? Yeah, so on the CNC communication side,

Starting point is 00:10:12 what we saw, one was they were making use of the shortened URL services for hosting the multi-stage payloads. They also started using different encryption methods like AES, DES, for hiding the multi-stage payloads and also for doing CNC communication. In some of the previous variants that we saw, the CNC communication was plain text and it was easy to fingerprint and flag and block. So there was another change that we noticed. And like I said, it's part of that active evolution of this malware family that we're tracking in this newer variants. Can you walk us through the execution flow here? I mean, they come at you in multiple steps.

Starting point is 00:10:59 The typical execution flow starts with, as you mentioned at the start of the interview, you would be looking out for an app that you're looking to download to solve a certain problem, whether it's tools, whether it's health and fitness. You will look it up on the Play Store, download it. It gets downloaded through that URL shortener service. That will lead to download of stage one, stage two, and then the final payload, which is the actual

Starting point is 00:11:26 malicious payload. And what they are doing as part of this campaign is they're abusing the notification access piece. So once installed, the malware will prompt for notification access to the user. And the notification access basically grants permission to read all notification posted by the devices and any other installed applications as well. This is basically what is used to steal sensitive information

Starting point is 00:11:56 from the impacted device. Now, one of the things that you pointed out is that this malware will look for the presence of some other apps. What do you think is going on with that? Yeah, so that's a common tactic that you see on a lot of PC malware, where they will look for presence of security applications. They will also look for presence of previous variant of the same malware infection. And in some cases, malware belonging to a competition, if that was installed. Now,

Starting point is 00:12:32 in this case, what we noticed was that that functionality was just limited to flagging if there was a previous infection already. But it wouldn't be surprising if they add additional checks leveraging that same routine because now they have access to all the applications running on the device. They can use that to perform additional operations. Now, help me understand here. I mean, is it the case that when you have an app that you're putting on the Google Play Store, for example, and that app has functionality for downloading multiple payloads as part of its installation process or its normal range of operations. Would it be accurate to say that that's a fairly straightforward way for a malware operator to get something onto a system where, for example, you could have one payload while

Starting point is 00:13:24 you're submitting your app to Google Play to say, hey, here's our app. This is what it's about. Scan it, have at it, do all of your safety checks. And then once you're on the store, can you then change the contents of those payloads and off you go? Yeah, and that is exactly what a lot of these malware authors abuse. exactly what a lot of these malware authors abuse. Obviously, the Play Store Android security team will have some level of vetting happening on a regular basis wherever there is a network URL being reached out by some of the apps. But the scale at which they are operating as well,

Starting point is 00:13:59 there's millions of apps out there. It's a hard problem to solve. Right, right. So what are your recommendations then? I mean, if I'm someone going about my business using my Android device, how do I make sure that I don't fall victim to these sorts of things?

Starting point is 00:14:17 Yeah, so one of the common recommendations we always give is you stick to the official Play Store, but you would say, hey, in this case, that's where you found all the malware. So the next thing I would do is look at the author that uploaded the app. You would be able to tell the difference between the ones that are trusted,

Starting point is 00:14:37 have been around for a long time. I would even go ahead and look at the comments that are posted. A lot of these infected apps, what you will see is the functionality is not being delivered as promised. So you will see some angry users posting comments as well. And those are all telltale signs on whether you can trust an app or not. Do not just search and download the first app you see in the results, because that's basically what these guys are trying to take advantage of. from Zscaler for joining us. The research is titled Joker Joking in Google Play.

Starting point is 00:15:25 We'll have a link in the show notes. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home? Black Cloak's award winning digital executive protection platform secures their personal devices, home networks, Thank you. Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io. The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Thanks for listening.

Starting point is 00:16:40 We'll see you back here next week.

CyberWire Daily - Joker malware family: not a joke for Google Play. [Research Saturday]

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.