A new malware campaign has managed to infiltrate the official Google Play store to deploy the Joker Trojan to Android devices in a bid to conduct ad fraud.
Last week, security researcher Aleksejs Kuprins from cybersecurity threat intelligence firm CSIS Security Group said the surge of malicious activity has been tracked in recent weeks, leading to the discovery of 24 Android applications containing the malware.
In total, the applications — made available through Google Play — have been installed over 472,000 times by unwitting Android handset owners.
The malicious applications contained a Trojan dubbed Joker by the cybersecurity firm, a name that references one of the domain names connected to the operator’s command-and-control (C2) server.
The malicious code contains the usual list of Trojan functions including the theft of SMS messages, contact information, and device data, and constantly pings its C2 for commands. However, Joker goes further by attempting to generate profit for its operator through fraudulent advertising activity.
Joker is able to interact with ad networks and websites by simulating clicks and silently signing up victims for premium services. In one example, Joker signed up users in Denmark for a premium website service costing roughly 7 euros a week by simulating clicks on the website, automatically entering the operator’s offer codes, and extracting confirmation codes from SMS messages sent to the target device. These codes are then submitted to the ad website to complete the process.
In other cases, the malware may simply send SMS messages to premium numbers.
Each fraudulent ‘job’ is received from the C2 and once premium service signups are complete, Joker informs the C2 and awaits further instructions.
Joker’s operators focus on 37 specific countries as targets, including China, the UK, Germany, France, Singapore, and Australia. Many of the infected apps found by the researchers contain a list of Mobile Country Codes (MCC) and the SIM card on an infected device has to relate to acceptable MCC for Joker to execute.
Most of these applications will not deploy the malware if users are in the United States or Canada; however, a handful of them do not contain any country restrictions.
When it comes to Joker’s attribution, nothing has been set in stone, but the interface of the C2’s administration panel and some of the bot’s coding indicate that the developers of the malware could be Chinese.
While the number of installs is relatively high, without the need for disclosure from the researchers, Google has detected and removed all of the malicious apps from Google Play. Malware creeping into official app repositories is a constant challenge, but in this case, the CSIS Security Group says the tech giant “seems to be on top of this threat as much as it is possible.”