An Old Joker’s New Tricks: Using Github To Hide Its Payload


The Joker malware has consistently plagued mobile users since its discovery in 2017. In January 2020, Google removed 1700 infected applications from the Play Store — a list that grew over three years. More recently, in September, security company Zscaler found 17 samples that were uploaded to the Google Play Store. Joker has been responsible for a range of malicious activity, from signing unknowing users to premium services and compromising SMS messaging to stealing contacts.

The malware has become a well-known persistent threat because the authors continually make small changes to seek gaps in Google’s defenses. Previous techniques they have tried include encryption, to hide strings from analysis engines; and “versioning,” which involves uploading a clean version of the app then adding malicious code via updates. We recently detected a new Joker malware version on a sample on Google Play, which utilizes Github pages and repositories in an attempt to evade detection. The sample was also found and analyzed by security researcher Tatyana Shishkova.

Read more…
Source: Trend Micro