64 new variants of ‘Joker’ malware have invaded Android app stores

Malicious Android apps are nothing new, even on the supposedly well-curated Google Play Store. Indeed, just a couple of days ago, Google was forced to remove 17 Android apps that contained a malware family known as “Joker.” Joker-laden apps masquerade as legitimate and may even provide useful functions to their users — however, some time after the app has been downloaded onto a given device, its true, sinister goal is achieved.
In the case of the 17 apps mentioned before, that purpose involves swiping a users’ SMS information to sign them up for premium wireless application protocol services, according to security research firm Zscaler.

However, that virus crackdown is only the latest in a longer string of similar Joker outbreaks — similar clusters of Joker-laden apps have appeared many times over the past few years, with the first hitting Android marketplaces in late 2016.

Joker wouldn’t be such a significant issue were it not for two things: the popularity of the apps it’s been injected into, and its widespread deployment across not just the Google Play Store, but a variety of third-party Android app stores, some of which have even more lax security standards.

According to Zscaler, the 17 apps involved in the latest Google crackdown were downloaded a whopping 120,000 times in total. That’s 120,000 potential victims, and the problem is only getting worse: new reports suggest 64 new Joker variants have already been discovered in just the past couple of weeks.

Mobile security firm Zimperium describes the “full attack chain” of Joker via the following flowchart:

First, the app “decodes” or decrypts strings to obtain and load a URL to a malicious “dex” file. Then, the dex file is downloaded from said URL, and it’s loaded onto the system using “reflection techniques” that invoke the “DexClassLoader constructor.” Finally, the file performs whatever malicious tasks it was developed to do, with the device owner often being none the wiser.

It will be difficult for Google to keep a handle on this massive influx of sophisticated, virus-laden apps, but we’ll let you know if the problem gets worse or improves over the coming months.

In the meantime, Android should only download apps from developers they fully trust and avoid leaving unused apps on their phones without good reason.