Two Android Apps Infected with Joker Malware – Uninstall Now

From a remote computer mouse to a Smart TV remote on our Android device, nowadays, we can easily find convenience in the shape of applications. However, when it comes to Android, convenience may come with a price – malware infection.

Recently, two applications on Google Play Store were reported to contain malware. The apps are “Smart TV remote” and “Halloween Coloring”, with one of them having more than 1000 downloads.

The impact is big as both of these applications are trojanized with the Joker malware. What is this all about? Find out in the following article.

The Joker – As Evil As Ever

The malware is not new to the scene. In fact, earlier this year, more than 500,000 Huawei Android devices were hit with Joker.

Now, it has new targets – Android phones in general. As we all know, Kaspersky malware analysts are very credible when it comes to detecting malware.

Tatyana Shishkova, an Android malware analyst at the firm revealed the names of two Google Play applications that have Joker embedded within them.

The apps are Smart TV Remote and Halloween Coloring. While the second one doesn’t have that many downloads, Smart TV Remote, unfortunately, has nearly above a thousand.

According to Shishkova, these applications are trojanized with the Joker malware:

• 

• 

Since the malware is not new, security experts already know how it operates. Joker works by hiding malicious code in seemingly harmless apps that look legit enough to be on official app stores.

Once the users install any of these apps on their device, the malware will be able to subscribe them to premium mobile services without their consent or knowledge.

What Happens in the Background?

So, how does the malware operate in the shadows? Shishkova stated that the malicious code makes its way to the “resources/assets/kup3x4nowz” file within the Smart TV remote app.

As for the Halloween Coloring app, a file that goes by the name of “q7y4prmugi” rests at the same location. Inside the malicious app, you can spot that Base64 code packing a Linux ELF binary:

According to BleepingComputer, the ELF binary goes further and downloads a second-stage payload hosted on an Amazon AWS instance. The URLs can be found below: 

Smart TV remote app: https://50egvllxk3.s3.eu-west-3.amazonaws[.]com/yr41ajkdp5
Halloween Coloring app: https://nwki8auofv.s3.sa-east-1.amazonaws[.]com/vl39sbv02d

The files yr41ajkdp5 and vl39sbv02d are encrypted using XOR, which is hard to either decrypt or be detected by any of the leading antivirus engines.

The apps are dangerous and may cost you a lot. Fortunately, A Google spokesperson confirmed that Google has removed both of these apps from its store. We wanted to confirm and it turned out to be true.

The risk is over, for the time being. All that’s left is for users who have already installed either of these apps to delete (uninstall) them immediately.

After that, perform a quick check-up to see if any unauthorized subscriptions or sign-ups have been done under your account.

The Joker Malware – Noone’s Laughing Now

Joker keeps popping up every now and then, putting all of your devices at risk. Not only that, but the attackers implementing it keep finding ways to dodge Google Play Store’s scanning mechanism.

Whenever you download an app, make sure it’s legit. Check the reviews, ratings, and other stuff – this might help a lot. The Halloween app has 1+ downloads, why would you get that? Double-check first and save yourself a lot of trouble in the future.