Security researchers discovered a new Android Trojan with malware dropper and spyware capabilities in 24 Google Play Store apps with more than 472,000 downloads in total.
The new Android malware dubbed 'Joker' is hidden within advertisement frameworks used by the compromised apps — some with over 100,000 installs — and it is designed to download a second-stage component as a DEX file that adds more capabilities.
This additional malicious component which simulates user interaction on ad sites, and will also harvest its victims' device info, contact list, and text messages.
"The automated interaction with the advertisement websites includes simulation of clicks and entering of the authorization codes for premium service subscriptions," as CSIS Security Group recently found.
Joker utilizes its SMS collection module to sign its victims up for premium subscriptions using the authorization codes automatically extracted from the authorization text messages.
Targeted countries
Only Android users from a very specific list of countries are currently targeted by the Joker Trojan — including but not limited to Australia, France, Germany, India, the UK, and the U.S. — with the vast majority of infected apps found by the researchers containing a hardcoded list of Mobile Country Codes.
The malware compares the SIM card's country code with the hardcoded list to check if the victim is from the targeted countries and the second stage component to be dropped.
However, "most of the discovered apps have an additional check, which will make sure that the payload won’t execute when running within the US or Canada."
The campaign's operators also send commands and code to be executed via JavaScript-to-Java callbacks on compromised devices, a technique used to protect the Trojan against static analysis.
An additional method making analysis harder is the use ..
Support the originator by clicking the read the rest link below.
