Two Android apps available on the Google Play Store contain malware this week.
These applications are called “Smart TV remote” and “Halloween Coloring”, the former having been downloaded at least 1000 times.
Smart TV remote app packs ‘Joker’ malware
This week, Tatyana Shishkova, Android malware analyst at Kaspersky, revealed the names of two Google Play apps that contain Joker malware.
At least one of these apps, ‘Smart TV remote’, has been installed more than 1,000 times since its release on October 29.
According to Shishkova, these applications are trojanized with the Joker malware:
– Tatyana Shishkova (@ sh1shk0va) November 10, 2021
As previously reported by BleepingComputer, the threat actors behind the Joker malware hide malicious code in seemingly harmless apps and post them to official app stores. Earlier this year, more than 500,000 Huawei Android devices were infected with Joker.
The malware is known to subscribe users to premium mobile services without their consent or knowledge.
ELF Obfuscated Code Packs and APK Downloads
To better analyze the malicious code, BleepingComputer obtained the Android apps and decompiled these APKs.
As also confirmed by Shishkova, the malicious code exists in the âresources / assets / kup3x4nowzâ file of the Smart TV remote application. For the Halloween Coloring application, an identical file named “q7y4prmugi” exists in the same location.
These files contain base64 code, shown below, containing a Linux ELF binary:
This ELF binary additionally downloads the second stage payload hosted on an Amazon AWS instance. The URLs contained in the ELFs to the second stage payload are:
Smart TV remote control application: https: //50egvllxk3.s3.eu-west-3.amazonaws[.]com / an41ajkdp5
Halloween Coloring Application: https: //nwki8auofv.s3.sa-east-1.amazonaws[.]com / vl39sbv02d
As verified by BleepingComputer, these files an41ajkdp5 and vl39sbv02d being themselves encrypted by XOR, are not detected by any of the major antivirus engines to date.
Decoding these files with an XOR key ‘0x40’, however, produces APK archives. Essentially, the almost benign âSmart TV Remoteâ and âHalloween Coloringâ apps are a front for downloading malicious apps onto your Android devices.
Last month, Shishkova and Maxime Ingrao, a security researcher at mobile payments cybersecurity firm Evina, also surprised malicious “photo editor” apps on the Google Play Store.
BleepingComputer reported the malicious âSmart TV remoteâ and âHalloween Coloringâ apps to Google Play prior to publication, and we are awaiting a response from Google.
It is plausible that Google Play Protect could eventually catch these apps and offer automatic protection to affected users, despite the initial failure leading to the apps being published on the Play Store.
“Google Play Protect checks for apps when you install them. It also periodically scans your device. If it finds a potentially dangerous app, it may send you a notification, … disable the app until you uninstall it. , [or] delete the application automatically, “say official Google documents.
In the meantime, users who have installed any of these apps should uninstall the app immediately, clean their smartphones, and check for any unauthorized subscriptions or billing activity initiated from their accounts.