Getty Images
“When we are alerted of apps that violate our policies,” a Google spokesperson told me, “we investigate and take action.” That’s good, but leading cybersecurity firm Check Point warns that “malicious apps are still finding their way onto Google Play.” Months after the launch of the tech giant’s App Defense Alliance, Check Point’s lead mobile threat researcher tells me improvements “are not where we hoped they would be—Google is investing to battle malicious apps, but given the current state it’s not enough.”
That issue is made crystal clear by new research released today—two separate threats actively hiding on the Play Store: Joker malware that has slipped the security net and the new danger of Haken. Both have driven large numbers of downloads, both have prompted Google to confirm it has removed all of the infected apps identified thus far, both now require users to delete any installs.
First, Joker, a well known and widely covered malware still sneaking onto the Play Store, bypassing Google’s defenses. Davey Winder reported on Joker for Forbes in September, at the time it had infected 500,000 devices. The malware subscribes its victims to premium subscription services. The painful issue is that removing the malicious app doesn’t cancel the fraudulent subscriptions. “That's going to take effort on the victim’s side,” Check Point’s Aviran Hazum explains, “to figure out the services and then manually reach out and unsubscribe.”
Joker detects the country within which a user is located, then identifies relevant premium services accessible from that location. “Through a hidden web-view,” Check Point explains, “the malware registers a user’s phone number to the premium service, awaiting verification via SMS. Through SMS permissions, the malware reads the code, and inserts that code to the verification page for the premium service. With the same SMS permissions, it deletes the SMS so the user won’t be alerted. The end result is that the malware signs up for a new service without a user ever knowing.”
In January, Google confirmed that it had removed around 1,700 apps carrying the Joker (aka Bread) malware. “They have at some point used just about every cloaking and obfuscation technique under the sun in an attempt to go undetected,” Google reported in its blog post. “Many of these samples appear to be designed specifically to attempt to slip into the Play Store undetected and are not seen elsewhere.”
Well, that hasn’t changed and the malware is still getting through. “Recently we have discovered samples that bypassed Google’s evaluation process,” Hazum tells me. “Those Joker apps were downloaded a lot of times and had a lot of victims.” Looking at the numbers, it appears that Check Point is aware of around 300,000 installs since the purge was announced. “Security vendors are still finding Joker samples on Google Play,” Hazum says, “even in February, even after all the efforts to remove it.”
New Joker-infected apps
Hazum leads Check Point’s mobile threat modeling and intelligence team—“what's out there and how we better detect it,” he explains.” So, how is Joker getting through, despite all that’s known? “That's a difficult question,” Hazum says, “but it has to be asked. We don't have visibility into how Google evaluates apps before they’re uploaded to Google Play. Joker has techniques to hide itself, obfuscation or remote service to get commands. During the evaluation process these are likely not activated on the server-side. It’s a tricky malware to detect. So far, every Joker sample we have reported has been removed from the Play Store, but there are others.”
Hiding, obfuscation, evasion. These are the same themes for another “malicious” malware strain Check Point has just found. The threat is different to Joker—clicker fraud instead of subscription fraud, and the hiding techniques are different as well. “This new malware uses native code,” Hazum explains, “it’s harder to analyze than the language Android apps are written in, it’s harder to understand what's going on.”
The newly identified threat has been dubbed Haken. “The apps were mostly camera utilities and children’s games,” the firm explains in a blog post published today, February 21. “The apps were Kids Coloring, Compass, QRcode, Fruits Coloring Book, Soccer Coloring Book, Fruit Jump Tower, Ball Number Shooter & Inongdan.”
Children’s games—take note of the deviousness of these operators.
Technically, the apps are developed in Java, “but the actual malicious code is in native code, allowing them to bypass Google Play Protect.” Now it has been discovered, the native code has been sampled, and so “Google can implement its solution against this signature and the behavioral analysis for this kind of attack.”
Haken infected app.
Click fraud is often dismissed as irritating, a nuisance. It captures revenue from advertisers paying for ghost ads. The issue for a user is battery life and network usage. But any malware finding its way onto your device is much more dangerous than that. The threat can adapt. Check Point warns that Haken can target anything on screen. It can be adapted to a subscription fraud model. “It can also exfiltrate sensitive data from the user’s device.” Such malware can also be used as a “dropper” to install other threats from its operators, targeting specific locations and device types.
Haken had quickly raced to 50,000 installs before it was detected by Check Point and reported to Google. Those malicious apps have now been removed. The researchers were actually looking for BearClod clickers at the time, a malware family with tens of millions of infections to its name. “While monitoring increased ‘BearClod’ activity, we were able to find another clicker family—‘Haken’.”
The message from today’s release is nothing new. The reported threats have been confirmed by Google, Check Point tells me, and action has been taken across it all.
The advisory from the security industry—Check Point included—is for Android users to install some form of security app on your device. Only a small percentage of users have done so. But, more importantly, apply some general limitations on what you allow onto your device. Trivial apps from little known developers are the root cause of most of these threats. Every app downloaded is a potential vulnerability. Think through how much you really need another compass or QR reader or weather app.
In the meantime, Google is making progress in building stronger walls around its app ecosystem. On February 20, the tech giant announced it had removed 600 apps from the Play Store and banned them from its monetization platforms—Google AdMob and Google Ad Manager, for violating its store policies. There have been thousands of such fraudulent apps identified and the industrial-scale screening process for pulling them from the store is clearly being put in place.
All that said, when it comes to the more malicious and sophisticated malware, as the defenders get smarter so the attackers become more devious. It is almost certain that those defenses will never be foolproof. So take care.
Joker-infected apps reported by Check Point:
- com.app.reyflow.phote
- com.race.mely.wpaper
- com.landscape.camera.plus
- com.vailsmsplus
Haken-infected apps reported by Check Point:
- com.faber.kids.coloring
- com.haken.compass
- com.haken.qrcode
- com.vimotech.fruits.coloring.book
- com.vimotech.soccer.coloring.book
- mobi.game.fruit.jump.tower
- mobi.game.ball.number.shooter
- com.vimotech.inongdan
