Google sometimes has a tough time keeping malware out of its mobile app store. Though the company employs Google Play Protect to scan and vet apps that contain malware, savvy cybercriminals can devise ways to sneak past those defenses.

Always a thorn in Google’s side, the Joker malware arrived as a new variant a few months ago and evaded Google Play Protect to infect legitimate apps and sign people up to premium services. A blog post published Thursday by the cyber threat intelligence provider Check Point Research explains how this new version worked and what to do if you think one of the apps may still be on your Android device.

SEE: Top Android security tips (free PDF) (TechRepublic)

Discovered by Check Point, the malware was a new flavor of the Joker Dropper and Premium Dialer spyware. Hiding in otherwise legitimate apps, this new version managed to download additional malware to Android devices. Once installed, this Joker variant would then subscribe users to premium services without their approval as a prime example of billing fraud.

Check Point researchers disclosed its findings to Google, which removed 11 identified apps from Google Play by April 30, 2020. However, the discovery shows that Google’s Play Store protection can be tricked by clever criminals and hackers who know how to create programs that hide their malicious intent.

In this case, the new variant of Joker used two components to sign up people as subscribers to premium paid services. One component was the Notification Listener service, which is used to learn of any push notifications received on the device.

The other component was a dynamic dex file loaded from the Command & Control server to register the user for the premium services. A dex file, or Dalvik executable file, contains code designed to be executed by the Android Runtime environment. To hide the true purposes of the malware, the hacker hid the dex file from view while still ensuring that it was able to load.

In a nutshell, Joker operated in three distinct stages:

  • Build payload first. Joker builds its payload beforehand inserting it into the Android Manifest File.
  • Skip payload loading. During evaluation time, Joker does not even try to load the malicious payload, which makes it much easier to bypass Google Play Store protections.
  • Malware spreads. After the evaluation period and the app has been approved, the campaign starts to operate by loading the malicious payload.

Check Point provided TechRepublic with the package names and the Google Play names for each of the 11 infected apps:

  1. – Compress Image
  2. – Contact Message
  3. com.hmvoice.friendsms – Friend SMS
  4. com.relax.relaxation.androidsms – Relaxation Message
  5. com.cheery.message.sendsms – Cheery Message
  6. com.cheery.message.sendsms – Cheery Message
  7. com.peason.lovinglovemessage – Loving Message
  8. com.file.recovefiles – File Recovery
  9. com.LPlocker.lockapps – App Locker
  10. com.remindme.alram – Remind Alarm
  11. – Memory Game

“Joker adapted,” Aviran Hazum, Check Point manager of mobile research, said in a press release. “We found it hiding in the ‘essential information’ file every Android application is required to have. Our latest findings indicate that Google Play Store protections are not enough. We were able to detect numerous cases of Joker uploads on a weekly basis to Google Play, all of which were downloaded by unsuspecting users.”

“The Joker malware is tricky to detect despite Google’s investment in adding Play Store protections. Although Google removed the malicious apps from the Play Store, we can fully expect Joker to adapt again. Everyone should take the time to understand what Joker is and how it hurts everyday people.”

For Android users who suspect they may have one or more of the infected apps, Check Point serves up the following three tips:

  1. Uninstall the infected application from your device.
  2. Check your mobile and credit card bills to see if you’ve been signed up for any subscriptions and unsubscribe if possible.
  3. Install a security solution to prevent future infections.