Home Science & Technology Joker, Other Fleeceware returns to Google Play

Joker, Other Fleeceware returns to Google Play


Several Android mobile trojans are circulating in the wild, secretly subscribing users to paid services and taking money from fraudsters. Many of them bypass the official security measures of the Google Play app store.

Researchers from Kaspersky, who have been tracking these latest so-called “fleece” threats for the past few months, say malware is often able to bypass bots’ detection mechanisms on paid service sites and may even sign unsuspecting mobile users to scammers. ‘own non-existent services.

Malware often hides in unsafe mobile apps such as medical apps, photo editors and popular games in the Google Play mobile app store and other stores. According to Kaspersky, weapons programs appear almost as quickly as they are detected and removed.

Many of the applications request permission to access user notifications and messages. When these permissions are granted, the malware intercepts and captures messages containing their subscription confirmation codes, thus leaving users unaware that they have just subscribed to a paid service.

In Kaspersky’s report highlights the four most common Trojans in this category that have been observed in recent months – Joker (his company calls Jocker), MobOk, GriftHorse.l and Vesub. The vendor estimates that a staggering 70% of Android device users have encountered such subscription Trojans at some point.

The four worst
Kaspersky identifies MobOk as the most active of the four threats. The malware was first spotted in an infected app on Google Play, but has recently been distributed as a payload to Triada, another mobile Trojan often hidden in pre-installed system apps on some smartphones. Kaspersky says it observed malware in the Pure Android APR mobile app store, hidden inside what the provider called a widely used modification of WhatsApp Messenger.

Once installed in the system MobOk works by opening the subscription page for a paid service in an invisible window. If the malware has been granted access to the user notification service, it intercepts any verification code that the paid service may send to the device and uses it to confirm the subscription. One of the features that sets MobOk apart from other mobile Trojans is its ability to address CAPTCHA on subscription sites, Kaspersky says. Many of the MobOk infections observed by the provider were in Russia and then in India and Indonesia.

At the same time, Joker is malware that Kaspersky recently found hidden in messaging software, blood pressure monitoring software, document scanning software and other products on Google Play. The Joker is a long-known mobile threat is constantly changing its tactics to continue to infiltrate the official app store.

In many cases, fraudsters download legal versions of these programs from the Google App Store, then paste the Joker code into it and re-upload them to the store under a different name, Kaspersky says. The malware was coded so as to remain at rest during the Google app verification process, but to become active when the program is running. Like MobOk, the Joker is also designed to intercept text messages or notifications containing verification codes, and use them to register users for paid subscription services without their knowledge.

The current version of the malware uses a step-by-step download process – involving four files – to install the final malware component on end-user systems. He adopted the technique to try to avoid malware detection mechanisms, Kaspersky notes. Researchers from the company noted that malware is most commonly used against Android users in Saudi Arabia, Poland and Germany.

At the same time, Vesub is a mobile malware that Android users may encounter in unofficial app stores. Malware is hidden in fake versions of popular gaming programs that do not actually contain legitimate functionality. Once installed, the malware immediately tries to start subscribing users to paid services, while all the user sees is a window indicating that the program is still downloading. Like most subscription Trojans, Vesub only works if it is granted access to text messages or notifications. Kaspersky has found that malware is prevalent in Egypt, Thailand and Malaysia.

Finally, GriftHorse.l differs from other malware in that it subscribes users to the author’s own paid malware services, such as programs that promise to accept users on a paid weight loss plan. Users who sign up for these plans often do so without realizing that they are signing up for a service with recurring payments and automatic billing, Kaspersky says.

Richard Melik, director of threat reporting at Zimperium, says such malware should not be seen as a threat to consumers alone. “Organizations of all sizes need to begin to understand that in the world of BYOD there is no threat only to consumers,” he said in comments via email. “Every time Joker and other long-standing malware are updated, they continue to risk critical data, services and attack surfaces.”

Security teams need to make sure they have the same security architecture for mobile endpoints as for traditional devices.

Both Google and Apple have taken many measures over the years to prevent malware from downloading to relevant mobile app stores. While the measures have helped curb malware to some extent, security vendors continue to find malware in these stores on a regular basis. Just last month, for example, Google tried to uninstall at least six apps disguised as legitimate antivirus tools that were actually used to uninstall a banking Trojan called SharkBot. According to Check Point, the malware tools were downloaded more than 15,000 times before Google removed them from Google Play.

Previous articleDow futures are up after a sell-off in Investing.com
Next articleSee Amazon’s training to prepare Alexa for space