{"id":19599,"date":"2022-07-14T07:10:38","date_gmt":"2022-07-14T15:10:38","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2022\/07\/14\/news-13332\/"},"modified":"2022-07-14T07:10:38","modified_gmt":"2022-07-14T15:10:38","slug":"news-13332","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2022\/07\/14\/news-13332\/","title":{"rendered":"New variant of Android SpyJoker malware removed from Play Store after 3 million+ installs"},"content":{"rendered":"

Credit to Author: Pieter Arntz| Date: Thu, 14 Jul 2022 15:03:32 +0000<\/strong><\/p>\n

Security researcher\u00a0Maxime Ingrao<\/a>\u00a0has found a new variant of Android\/Trojan.Spy.Joker which he’s dubbed Autolycos. Malware in this family secretly subscribes users to premium services. The researcher noted that the eight applications that contained this malware had racked up a total of over 3 million downloads.<\/p>\n

Toll fraud malware<\/h2>\n

Toll fraud malware is a subcategory of billing fraud in which malicious applications subscribe users to premium services without their knowledge or consent. At the moment, toll fraud malware\u2014also known as fleeceware\u2014is one of the most prevalent types of Android malware. And not only does the number of infections keep going up, so does the sophistication of the malware.<\/p>\n

Joker<\/h2>\n

Android\/Trojan.Spy.Joker was the first major family that specialized in this field. It was first found in the Play Store in 2017. Joker is capable of clicking on online ads, and asks for SMS permissions during installation\u00a0so it can\u00a0access One Time Passwords (OTPs) to secretly approve payments. The user will never know that they have been subscribed to some service online until they check their bank statements or phone invoice.<\/p>\n

Detection<\/h2>\n

Google uses the name Bread for the Joker malware family. In January, 2020, Google Play Protect\u00a0detected and removed 1,700 unique Bread apps<\/a>\u00a0from the Play Store. By using as little code as possible and thoroughly hiding it, Joker generates a very discreet footprint which makes it hard to detect. But SMS and toll fraud generally require some basic\u00a0functionality\u00a0like disabling WiFi which needs one of a handful of APIs. Since Joker expects security researchers to look for those APIs, it uses a wide variety of techniques to mask the usage of them.<\/p>\n

Slow response<\/h2>\n

The small footprint and masked usage of APIs must make it hard to find malicious apps among the multitude of apps that can be found in the Google Play Store. But that doesn\u2019t explain why it took Google over a year to remove the eight apps reported by Maxime Ingrao. He reported the apps in June, 2021, and the last two were removed on July 13, 2022. It’s possible they would still be available if the researcher hadn\u2019t gone public because he said he got tired of waiting.<\/p>\n

Autolycos<\/h2>\n

As mentioned earlier, the malware is still undergoing development. What is new about this type is that it no longer requires a WebView. WebViews are exactly what the name indicates\u2014a small view to a piece of Web content. A WebView can be a tiny part of the app screen, a whole page, or anything in between. Not requiring a WebView greatly reduces the chances that the user of an affected device notices something fishy is going on. Autolycos avoids WebView by executing URLs on a remote browser and then including the result in HTTP requests.<\/p>\n

Malicious apps<\/h2>\n

BleepingComputer posted the\u00a0list of malicious apps<\/a> found by Maxime Ingrao, which users may still have installed:<\/p>\n