A new wave of Android malware called Joker was discovered by Cyble Inc researchers, which posed as a QR scanner app to target Android users.
Joker malware is a type of spyware that merges the capabilities of Spyware and Trojan. It can also easily evade detection by the traditional malware analysis methods.
The malware was initially found on Play Store disguised as Free QR Scanner by an attacker who pretended to be a developer named Marcelo Bruce. Researchers found out about the app from a tweet from a user. They determined it was an updated version of Joker, which subscribes victims to premium services without their knowledge and downloads additional malware to their devices.
Researchers write that the authors of Joker malware are constantly modifying the application’s behavior to evade the Play Store’s detection. They are also modifying the payload retrieving techniques and the execution methods.
Attackers adapted the behavior of dynamic code loading (DCL), a popular evasion technique, to drop an additional payload. Once the malicious file gets installed, it creates a connection to the Command and Control server, which drops a Trojan.
The malware starts working once the user accesses the application.
The Joker malware can steal various details from a user’s phone, including text messages and contact details. The malware has the capability to read notifications from the victim’s device, including text messages, and send its own messages without user knowledge. It uses text messages to subscribe victims to paid services:
“The application has several Wireless Application Protocol (WAP) subscription URLs for its billing service. WAP billing is a payment method for purchasing content from sites, with the charges being directly added to the mobile phone bill. Using this billing service, attackers can target countries including the U.S., the U.K., India, Thailand, and Vietnam.”
These subscriptions charge victims on a daily, weekly, or monthly basis, allowing attackers to generate income.