This week, malware was discovered in two Android apps featured on the Google Play Store. The names of these applications are ‘Smart TV remote’ and ‘Halloween Coloring,’ with the former having received over 1,000 downloads.
Tatyana Shishkova, an Android malware specialist at Kaspersky, was first to reveal the two Joker-infected Google Play applications. One of these applications – Smart TV Remote – has been downloaded over 1,000 times since its release on October 29th.
The Joker malware’s authors embedded dangerous code in seemingly innocent apps and distributed them through official app stores. Over 500,000 Huawei Android handsets were revealed to be infected with it earlier this year. Because of this malware, users are subscribed to premium cellphone services without their knowledge or agreement.
The malicious code is found in the “resources/assets/kup3x4nowz” file within the Smart TV remote program, according to Shishkova. A similar file named “q7y4prmugi” exists at the same place for the Halloween Coloring app. These files contain base64 code that is used to encrypt a Linux ELF binary.
This ELF file also downloads a second-stage payload from an Amazon AWS instance. The URLs to the second-stage payload in the ELFs are as follows:
- Smart TV remote app: https://50egvllxk3.s3.eu-west-3.amazonaws[.]com/yr41ajkdp5
- Halloween Coloring app: https://nwki8auofv.s3.sa-east-1.amazonaws[.]com/vl39sbv02d
Even though these files, yr41ajkdp5 and vl39sbv02d, are XOR-encrypted, none of the top antivirus engines identify them.
However, using the XOR key ‘0x40’ to decode these files creates APK archives. In essence, the seemingly harmless ‘Smart TV remote’ and ‘Halloween Coloring’ apps are fronts for harmful software to be downloaded onto your Android devices.
When you install applications, Google Play Protect examines them. It also scans your device regularly. According to Google’s official documents, if it identifies a potentially hazardous app, it may send you a message… disable the app until you delete it, [or] remove the app automatically.
Meanwhile, users who have downloaded one of these apps should remove it immediately, wipe up their phones, and check their accounts for any illegal subscriptions or billing activity.
