Google Play Store is typically considered to be one of the safest sources for users to find and install android apps. However, threat actors continue to evolve their tactics and are able to successfully upload dangerous apps laced with malware on the Google play store.
Recently, the Zscaler ThreatLabz team discovered apps involving multiple instances of the Joker, Facestealer, and Coper malware families spreading in the virtual marketplace. The ThreatLabz team immediately notified the Google Android Security team of these newly identified threats, and they promptly removed the malicious apps from the Google Play Store.
The following is the technical analysis of these three malware family payloads that were recently discovered in the Play Store:
Joker is one of the most prominent malware families targeting Android devices. Despite public awareness of this particular malware, it keeps finding its way into Google’s official app store by regularly modifying the malware’s trace signatures including updates to the code, execution methods, and payload-retrieving techniques. This malware is designed to steal SMS messages, contact lists, and device information, and to sign the victim up for premium wireless application protocol (WAP) services. Over the past two months, our ThreatLabz researchers discovered the following malicious Joker downloader apps in the Google Play Store:
Simple Note Scanner - com.wuwan.pdfscan
Universal PDF Scanner - com.unpdf.scan.read.docscanuniver
Private Messenger - com.recollect.linkus
Premium SMS - com.premium.put.trustsms
Smart Messages - com.toukyoursms.timemessages
Text Emoji SMS - messenger.itext.emoji.mesenger
Blood Pressure Checker - com.bloodpressurechecker.tangjiang
Funny Keyboard - com.soundly.galaxykeyboard
Memory Silent Camera - com.silentmenory.timcamera
Custom Themed Keyboard - com.custom.keyboardthemes.galaxiy
Light Messages - com.lilysmspro.lighting
Themes Photo Keyboard - com.themes.bgphotokeyboard
Send SMS - exazth.message.send.text.sms
Themes Chat Messenger - com.relish.messengers
Instant Messenger - com.sbdlsms.crazymessager.mmsrec
Cool Keyboard - com.colate.gthemekeyboard
Fonts Emoji Keyboard - com.zemoji.fontskeyboard
Mini PDF Scanner - com.mnscan.minipdf
Smart SMS Messages - com.sms.mms.message.ffei.free
Creative Emoji Keyboard - com.whiteemojis.creativekeyboard.ledsloard
Fancy SMS - con.sms.fancy
Fonts Emoji Keyboard - com.symbol.fonts.emojikeyboards
Personal Message - com.crown.personalmessage
Funny Emoji Message - com.funie.messagremo
Magic Photo Editor - com.amagiczy.photo.editor
Professional Messages - com.adore.attached.message
All Photo Translator - myphotocom.allfasttranslate.transationtranslator
Chat SMS - com.maskteslary.messages
Smile Emoji - com.balapp.smilewall.emoji
Wow Translator - com.imgtop.camtranslator
All Language Translate - com.exclusivez.alltranslate
Cool Messages - com.learningz.app.cool.messages
Blood Pressure Diary - bloodhold.nypressure.mainheart.ratemy.mo.depulse.app.tracker.diary
Chat Text SMS - com.echatsms.messageos
Hi Text SMS - ismos.mmsyes.message.texthitext.bobpsms
Emoji Theme Keyboard - com.gobacktheme.lovelyemojikeyboard
iMessager - start.me.messager
Text SMS - com.ptx.textsms
Camera Translator - com.haixgoback.outsidetext.languagecameratransla
Come Messages - com.itextsms.messagecoming
Painting Photo Editor - com.painting.pointeditor.photo
Rich Theme Message - com.getmanytimes.richsmsthememessenge
Quick Talk Message - mesages.qtsms.messenger
Advanced SMS - com.fromamsms.atadvancedmmsopp
Professional Messenger - com.akl.smspro.messenger
Classic Game Messenger - com.classcolor.formessenger.sic
Style Message - com.istyle.messagesty
Private Game Messages - com.message.game.india
Timestamp Camera - allready.taken.photobeauty.camera.timestamp
Social Message - com.colorsocial.message
ThreatLabz has discovered over 50 unique Joker downloader apps on the Play Store till now. All of these apps were downloaded over 300k times combined and they typically fall into one of the following common categories:
The following is the breakdown of the number of apps per category:
The tools and communication were among the most targeted categories covering the majority of the Joker-infected apps. ThreatLabz discovered daily uploads of apps containing the Joker malware indicating the high activity level and persistence of the adversary group. Consistent with previous findings, ThreatLabz latest discoveries belonging to the Joker malware campaign continue to follow similar developer naming patterns and use of familiar techniques. Check out our previous blog Joker Joking in Google Play for a more in-depth analysis of this specific campaign.
The following is the technical analysis of the Enjoy Message Joker app:
The Joker malware authors develop and release a range of apps from the very complex to incredibly simple. Instead of waiting for apps to gain a specified volume of installs and reviews before swapping for a malware-laced version, the Joker developers have taken to hiding the malicious payload in a common asset file and package application using commercial packers. Serving as one of the primary reasons why these malicious apps often go undetected by antivirus softwares and during evaluation by the Play Store.
Most commonly, threat actors disguise the Joker malware in messaging applications that require users to grant escalated access permissions by allowing them to serve as the default SMS app on the user's phone. The malware uses these advanced permissions to carry out its operations.
In the Enjoy SMS application, the payload is hidden in the known path but the path itself is obfuscated in the application's class.
Fig 1: Obfuscated path of the payload
Upon deobfuscation, the path becomes visible in the asset directory "io/michaelrocks/libphonenumber/android/data/PhoneNumberAlternateFormatsProto_53" where payload is residing.
The package name of the application is used to derive the hash which is used as the AES decryption key. This key is used to decrypt the payload with an executable(.so) file which should contain the following declared functions.
Fig 2: Function/class names of similar known SDKs
To deter investigation, the class and method names of the functions appear similar to known SDKs.
"onInstall" function in the hidden dropped executable is called at runtime after loading executable by the "system.loadlibrary" function.
Fig 3: Implementation of malicious code inside executable
As shown above, the executable loads the method ‘Wnjre’ from the ‘com.Brling’ class. The dropped executable hides the payload with Base64 encryption.
Fig 4: Base64 encrypted content
The second payload downloads a known weaponized Java ARchive (JAR) file as a third payload as shown below.
Fig 5: Decrypted payload
The following are some examples of common techniques used by Joker Malware:
1. The app confirms if its package is still live on the Google Play Store.
Fig 6: Checks Google Play Store to confirm the app is still live.
2. Many Joker apps hide the payload in the assets folder of the Android Package Kit (APK) and creates an ARM ABI executable to avoid detection by most sandboxes which are based on x86 architecture.
3. Joker malware hides payloads with different types of encryption including, XOR, AES, DES, ElGamal which are also commonly used with fake known asset files. Few of them have extensions like JSON, TTF, PNG or database files. In several examples, apps encrypted and hide the malicious payload in the meta-data of the app manifest file. More often, the decryption key is derived from the package name of the app possibly to avoid the additional effort of customizing decryption routines.
Fig 7: ELGAMAL encryption
Fig 8: DES key derivation from the package name
Facestealer malware was also discovered on the Google Play Store, known for targeting Facebook users with fake Facebook login screens. Once the device is infected, the user is prompted to login to Facebook and can’t use the app without entering their credentials. Upon successful login, the credentials as well as auth tokens are stolen by the malware author.
Fig 9: Fake Facebook login screen
Fig 11: Base64 decoded
Fig 12: Shows the "c_url" parameter for a remote C2 stealing facebook credentials.
Coper is a well known trojan that targets banking applications in Europe, Australia, and South America disguised as a legitimate app in the Google Play Store. Once downloaded, this app unleashes the Coper malware infection which is capable of intercepting and sending SMS text messages, making USSD (Unstructured Supplementary Service Data) requests to send messages, keylogging, locking/unlocking the device screen, performing overly attacks, preventing uninstalls and generally allowing attackers to take control and execute commands on infected device via remote connection with a C2 server. The result of these activities ultimately leads to attackers gaining information and access they can leverage to steal money from victims.
Fig 13: Unicc QR Scanner app laced with Coper malware on Google Play Store
This app disguises itself as a free QR scanner. Once installed, the app immediately prompts the user to update the app.
Fig 14: Screenshots show the process of enabling the malware infection by asking the user to upgrade the app, then prompting them to further grant advanced access permissions to the app in their device settings.
Next, the threat actors use a trojan dropper designed to install malware or a backdoor to a device, by leveraging the Google Firebase app developer tool to call-out and receive the URL that will deliver the malicious payload as shown in the screenshot below.
Fig 15: Firebase call-out
The malware downloads a configuration that includes the URL hosting the new and malicious payload. As shown in the screenshot below, the name of the new payload is set by the android Shared Preferences file. The name of the installed payload also continues to change as well.
Fig 16: Shared preferences
The newly installed file is a fake Google Play Store app on the device with the package name “com.fromtoo2” that immediately prompts the user to grant escalated accessibility permission and gain full control of the user's phone.
In the background, the fake Google Play Store app loads the libWeEq.so executable file and calls the predefined MvsEujZ function as further shown and described below.
Fig 17: MvsEujZ function called from executable file
The MvsEujZ function shown above decrypts a runnable file with a static key found in the executable and prompts the user to grant escalated accessibility permissions at launch. After decrypting with libWeEq.so, the Coper code base becomes visible, as shown in the below screenshot.
Fig 18: Coper codebase
This final payload uses Rivest Cipher 4 (RC4) encryption to hide its malicious signatures and avoid detection. The following screenshot shows the decrypted C2 server addresses used by the Coper malware.
Fig 19: Screenshot shows the decoded contents of the payload
In the case that the Virtual Network Computing (VNC) service for remote-control access is not available, the malware authors leverage the android TeamViewer app to monitor the screen of the infected device as shown in the screenshot below.
Fig 20: Screenshot shows the code enabling attackers to use TeamViewer to monitor the screen of a device remotely
Fig 21: Shows attackers leveraging the android developer app WebView
What Android user’s can do to avoid infection by these malwares:
Don’t install unnecessary, untrusted, and un-vetted apps on your mobile device. Stick to the sources and providers you know and trust. Look for apps with very high install numbers and positive reviews. Seek out apps that are recommended by sources you trust and also feature lots of installs and positive reviews.
Don't grant notifications listener permissions and escalated accessibility permissions to apps you don't fully trust. The notification listener service enables the package name of the app to be added to the enabled_notification_listeners provider. This enables read notifications and it includes critical access notifications like auto-generated one-time password/pin (OTP).
Avoid installing messaging apps if possible or use extreme caution and take the time to research and ensure that the app is well known and reviewed. Even when a link comes from a trusted friend asking you to download a messaging app, consider the possibility that your friend’s device may be compromised by malware and stop to confirm with them first, and then still take the time to conduct your own research and verify the app has a well-established and safe reputation before installing. Messaging apps require Read_SMS permission as their functionality and can easily leverage that permission to gain information including a key OTP they can use to further compromise victims.
If you become a victim of a malicious app from the Play Store, inform Google about it immediately through the support options in your play Store app. It is important that we work together to identify, flag, and remove malicious apps from our preferred app stores as soon as possible to limit the spread of malware and inhibit the success of threat actors.
If you are responsible for protecting your corporate network, deploy Zscaler’s zero trust architecture to protect your users and prevent further compromise if a malicious app is downloaded by a user on their personal device.