Episode: 3360
Title: HPR3360: Android Malware Alert
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr3360/hpr3360.mp3
Transcribed: 2025-10-24 21:41:46

---

This is Haka Public Radio episode 3364,
Friday 18th of June 2021.
Today's show is entitled Android Malware Alert
and in part of the series Privacy and Security
It is hosted by a huker and in about 11 minutes long
and carrying a clean flag.
The summer is a look at some security issues in Android.
This episode of HBR is brought to you by an Honesthost.com.
Get 15% discount on all shared hosting with the offer code
HBR15, that's HBR15.
Better web hosting that's Honest and Fair at An Honesthost.com.
Hello, this is Huka, welcome to Hacker Public Radio
and another exciting episode and I want to again give us a little security update
and this has to do with some Android malware.
A report was released regarding malware that targets Android called Joker.
Now this malware has been around actually since 2016.
But it continues to be one of the major threats to Android devices.
It can steal SMS messages, contact lists and device information.
It can also sign up users for pricey subscription services,
such as wireless application protocol or WAP services.
This malware gets added to applications that can be downloaded
from the Google Play Store.
And though Google has removed many of those apps,
the malware keeps coming back.
So how does it do what it does?
Well, the apps that get the Joker malware are essentially knockoffs of legitimate apps
that can fool people into downloading them.
They don't generally contain the malware.
Instead they contain what is called a dropper code,
which at some future time days or weeks later will contact a remote site
and then download the actual malware.
Now this dropper code is heavily obfuscated in a variety of ways.
Sometimes the code is AES encrypted.
Other times it masquerades as legitimate files that are common in other applications,
such as JSON files and CSS.
The download is frequently a .dex file,
which stands for Dalvik Executable,
which is now the native format for Android applications.
Joker can also use code injection to hide inside of legitimate third-party packages
that reside on an Android phone, such as org.junit.internal,
com.google.android.gms.dynamite,
or com.unit.3d.player.unit.provider.
Now a security research firm Zscaler issued the most recent report on this,
and of course this is all linked in the show notes.
And as I've said before,
I do these shows I try to put as much information as possible in the show notes,
you know, links to sources that will give you more information.
So you can find out about Dalvik Executables,
and you can read this Zscaler report.
And this report explains some of the methods Joker uses to download the malware.
One of those is direct download.
So in this scenario, a URL is hidden in the code via string obfuscation.
Now this is a technique for hiding executable code by making it hard for the code to be detected.
There's a site called Securry,
that gives an example of calling PHP to execute the commands
where the functions are broken up into two to three character chunks,
each chunk inside single quotes and separated by periods.
PHP will then join the chunks, remove the single quotes,
and execute the functions just created.
Interesting technique.
And by the way, just a side on Securry, that's SU-C-U-R-I,
that's a security site,
I found out about them,
and then discovered they had a very nice plugin for WordPress.
And my websites are all run on WordPress.
And so I went, I got this plugin,
and it does something that I really like,
and that is it sends me an email anytime there's any activity on the website.
Website backend, I mean,
it's not going to notify me that someone looked at a webpage,
but if a webpage has been modified,
a new page has been added, you know, any of that kind of activity,
I get an email.
Now, so far, all that is meant is I get an email every time I do something,
but it's good to have that notification if someone were to get in,
and that did happen to one of my sites.
And it was a royal pain in the butt.
You know, I had to go through basically searching through my SQL database
to find out where they had hidden this stuff,
because what was happening was all of a sudden you go to my site,
and it's serving up something entirely different.
So now, if someone does that, I'll get an email right away,
and at least I can get on top of it.
Okay, so back to direct download,
you know, we looked at that technique of using PHP.
So what happens after that code has been re-put together by PHP,
and the function has been executed?
Well, at that point, contacts a command and control server
to get another URL, which will take them to the final download of the malware payload.
It also supplies a JSON file that has the configuration information
for the final download.
Once the JSON file is downloaded and executed,
the final download takes place.
Then there's one stage download.
So this variant downloads a stage or payload first,
which then leads to the final download.
The URL for the stage or payload is encoded using a ES encryption.
There are two varieties of stage or payload that Zscalar has noted,
either an APK file or a .dex file.
This stage is responsible for obtaining the URL for the final payload download.
The stage is also responsible for executing that final payload.
Then there's a two stage download.
In this variant, the infected app executes code to contact the command and control server,
which replies by sending a message with the URL for the first stage or payload,
which it hides in the location header.
The first stage or payload is downloaded and executed,
which then downloads the second stage or payload,
which in turn contains the hard-coded URL for the final payload.
That is then downloaded.
Now, final payload, regardless of the download method,
the final payload of malware is the same.
To begin with, it uses DES encryption to execute the command and control activities,
and it uses string obfuscation techniques to hide all important strings.
Now, if you want a more detailed description of all of this,
there's a link in the show notes.
It's a Chinese site, so you want to use a browser that can translate from Chinese to English,
but you can get a lot more detailed technical information there if you want it.
Now, what can you do?
Given that this malware has been infecting apps in the Google Play Store for five years now,
it does not seem likely that someone else is going to fix the problem.
The Zscaler report says that Google has removed these apps from the Play Store when it finds them,
but it cannot remove them from your phone if you had the misfortune to download one of them.
Using an anti-malware app on your phone may help,
but the techniques Joker uses to hide make it challenging to detect and remove.
Now, step one is to check to see if you have one of these apps and remove it manually from your phone.
I have a link in the show notes to the latest batch of 17 apps that Zscaler found,
and they put that on a web page you can do some checking.
Once that is done, there are some common sense precautions you can take.
Be careful to only download and install apps that serve a genuine need.
Downloading a lot of apps willy-nilly will only increase your attack service.
Then, check the history of the app.
If it is fairly new and has relatively few downloads, you should probably steer clear.
Now, remember, Google does remove these apps from the Play Store as soon as they're aware of them,
so they don't tend to last long.
Next, stick with developers that have a good reputation and track record.
Now, for apps you rarely use or haven't used recently, consider uninstalling them.
Remember, it is about the size of the attack service.
The more apps you have, the more potential vulnerabilities you have.
Pay attention to permissions.
Every time you install an app, it asks you for permissions to do things.
Now, most of us see that so much that we just click yes automatically.
Okay, yeah, fine, whatever. Just give me my adrenaline thrill here.
I don't want to be reading through all of this stuff.
And that's what malware authors rely on.
If a solitaire app asks for permission to access your contacts list in your SMS,
you probably shouldn't allow it.
That's not a good thing.
One thing you can do, manage your existing permissions.
A good thing Android 11 does is allow you to remove permissions for apps you haven't used in a while.
Now, I've got a link in the show notes to a tech republic article that you can read more about this
and how to manage your permissions.
And I've got some reference material as well in the show notes that you can take a look at.
That's our technical article.
So there's some good information there.
And as always, when I post these shows, I try to put relevant links in the show notes so that you can get more information
and follow up on these things.
But for now, this is a hook up for hacker public radio signing off and encouraging you to support pretty software.
Bye-bye.
You've been listening to Hacker Public Radio at HackerPublicRadio.org.
We are a community podcast network that releases shows every weekday Monday through Friday.
Today's show, like all our shows, was contributed by an HBR listener like yourself.
If you ever thought of recording a podcast, then click on our contributing to find out how easy it really is.
HackerPublic Radio was founded by the digital dog pound and the Infonomicon Computer Club
and is part of the binary revolution at binrev.com.
If you have comments on today's show, please email the host directly, leave a comment on the website or record a follow-up episode yourself.
Unless otherwise status, today's show is released on the creative comments, attribution, share a like, 3.0 license.
Thank you.