With the Joker (2019) new movie just show in the cinema, we get the news for rise of Joker – a new android malware spread across 472,000 mobile device in total.
It is a new Android Trojan with malware dropper and spyware capabilities, somehow being downloads as hidden inside mobile application for 427,000 in total across 24 Google Play store.
This new Android Malware, nickname “Joker” is hidden within advertisement frameworks, used by compromised mobile applications, and it design to download additional component to execute more advance capabilities, no just click on hidden advertisement to accumulate revenue from the advertiser, but also harvest mobile application user device information, from contact list, call, credit card information and perform clicks and entering authorization codes for premium service subscriptions without being aware by the mobile applications user. This is doing so by leverage its SMS collection module to sign victims up for premium subscriptions using the authoriztion codes automatically extracted from authorization text messages. In another word, 2 factor authentication (2FA) being compromise under this way for those infected devices.
At the time, only selected countries is targeted, if you download from those countries play store, include but no limited to Australia, France, Germany, India, the UK, and the US. The application send commands and code to be executed via JavaScript-to-Java callbacks on compromised devices, to protect the Trojan being detect from static analysis, a form of mobile application static security testing (Mobile SAST). It further make use of “custom string obfuscation schemes for all the configuration, payload, communication parsing procedures” to make it harder for Mobile SAST to detect it.
Joker being active around early June, but no one know how long it presence during undetected period. Google had proactive removed all Joker-infected applications from the Play Store, but user is advice to check thru your mobile device for any being installed before the action being taken.
A lesson from the case? mobile application being a popular platform for malware to be spread and use to infect millions of mobile device. In particular so hidden inside “free” or “advertisement sponsor” mobile application. Since the user in generic public will download it due to free in nature and already expect to watch advertisement in exchange for the free use of mobile application.
For enterprise customer who had own mobile application use the appstore for distribution, it important to make sure whatever mobile application they intent to upload is perform mobile application security testing (Mobile AST), together with source code static analysis. Most of the time, developer in modern days do not develop everything from sketch, they are buying or make use of “free” component to be use on their own mobile application. Company with the process to monitoring indicator of compromise (IoC) will be important for benchmark and self monitoring for any cyber exposure happen and can taken immediate action.
E-SPIN being active in the cybersecurity testing domain, include mobile application security testing (Mobile AST), static application security testing (SAST), IDE secure code review, software composition analysis (SCA), dynamic application security testing (DAST), or even perform DevSecOps CI/CD integration etc for the partner and customer across the region. Feel free to contact E-SPIN for your project and requirement.