Joker spyware resurfaces, clicker malware Haken spotted on Google Play Store

News by Rene Millman

Joker spyware reappeared on the Google Play store over the last few months, a few samples at a time

Two unrelated malware types, Joker and Haken, have managed to appear on the Google Play Store, according to security researchers at Check Point.

In a blog post, researchers Ohad Mana, Israel Wernik, Bogdan Melnykov, and Aviran Hazum said that these varieties of malware continue to change in order to avoid Google's security policies and checks.

The researchers said that the Joker spyware has, over the last few months, reappeared on the Google Play store, a few samples at a time. It has also been developed to avoid appearing for users in the US or Canada. It uses geolocation data to discover premium services available to a given device’s region. 

“With access to the notification listener, and the ability to send SMS, the payload listens for incoming SMS and extract the premium service confirmation code (2FA) and sends it to the “Offer Page”, to subscribe the user to that premium service,” said researchers.

Meanwhile, a new clicker malware family called Haken, found in eight apps on the Play Store, mimics the user and perform ‘clicks’ on ads. 

“This campaign has just begun its path in Google Play. With eight malicious applications, and over 50,000 downloads, the clicker aims to get a hold of as many devices as possible to generate illegitimate profit,” researchers said.

“With the usage of native-code, code injection into Ad-SDKs, and backdoored applications from the official store, Haken has shown clicking capabilities while staying under the radar of Google Play. Even with a relatively low download count of 50,000+, this campaign has shown the ability that malicious actors have to generate revenue from fraudulent advertising campaigns.”

Providers of mobile apps are challenged to ensure that their apps are secure, said Sam Bakken, senior product marketing manager at OneSpan. 

“Not only is it hard to find and retain Android and iOS development talent, mobile app security experts or mobile developers with security knowledge are even fewer and farther between. But, that challenge doesn't matter to consumers,” he told SC Media UK.

“They want a great, secure consumer experience. App developers need to take advantage of proven mobile app security tools to help them ensure the security of their apps. Mobile in-app protection solutions provide developers the proven, mobile app security building blocks they need to fortify their apps. And, they don't need to be mobile security experts to use them.”

While it is always safe for consumers to only download mobile applications from Google’s official storefront Google Play, rogue apps are still getting through its defences, thanks to its scale and set up, pointed out Dimitris Maniatis, CEO of Upstream.

“Fraudsters appear to target some app categories more than others. Ironically, apps designed to make a device function better and make everyday life easier are the ones most likely to be harmful with 22.32 percent of malicious apps for 2019 falling under the Tools / Personalisation / Productivity category globally,” he told SC Media UK.

In 2019, marketers lost nearly £10 billion to app install fraud, said a blog post by InMobi, Google’s rival in mobile advertisement. 

“Click spam, click injection, SDK spoofing, faked installs, click flooding (a form of click fraud) and invalid traffic (IVT) are just some of the types of mobile ad fraud that will continue to plague digital advertising in 2020,” it said.

“It is more than an invisible threat, it is an epidemic, calling for increased mobile security that urgently needs to rise up in the industry’s priority list. Left unchecked, ad fraud will choke mobile advertising, erode trust in operators and lead to higher tariffs for users,” Maniatis said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews