Researchers have said that with small changes to its code the Joker malware to get past the Play store’s security and vetting barriers.

Late last year we saw the Joker malware surface and spread like wildfire. The latest report from Check Point’s researchers has discovered a new variant of the Joker Dropper and Premium Dialer spyware in the Google Play Store. These were found hiding inside of seemingly legitimate applications. This new updated Joker malware can download additional malware to the device, which in turn subscribes the victim to a number of premium services without their consent.

Meantime, Google has removed 11 apps from the Play Store infected with the notorious Joker malware. The applications include include com.imagecompress.android, com.relax.relaxation.androidsms, com.cheery.message.sendsms (two different instances), com.peason.lovinglovemessage, com.contact.withme.texts, com.hmvoice.friendsms, com.file.recovefiles, com.LPlocker.lockapps, com.remindme.alram and com.training.memorygame.

Joker malware: Everything you need to know

The researchers have said that with small changes to its code the Joker malware to get past the Play store’s security and vetting barriers. This time along the Joker malware has adopted an old technique from the conventional PC threat landscape to avoid detection by Google. The newly modified Joker virus uses two main components to subscribe, app users to premium services. These components are: Notification Listener service and dynamic dex file loaded from the C&C server.

To minimize the Joker’s code, the developer hid the code by dynamically loading it onto a dex file, while at the same time, ensuring that it is able to completely load when triggered. The code inside of the dex file is encoded as Base64 encoded strings, that start decoding and loading as soon as the victim opens the affected apps.

The original Joker malware communicated with the C&C, and then downloaded the dynamic dex file, which was loaded as casses.dex. However, the new modified version of the code is embedded in a different zone, with the classes.dex file loading a new payload. The malware is triggered by creating a new object that communicates with the C&C.

@martin_christopher