[MART] - Daily Diary #304 - The Joker Android Malware And Its New Evasion Techniques

CTAS-MAT ctas-mat at appgate.com
Wed Jul 14 22:56:49 UTC 2021


Hello,
I hope everyone is doing well!

Below is the entry for today.

07/14/2021 - Diary entry #304

The android malware called Joker is back on Google Play with several techniques to evade detection. As covered in our Daily Diary #113, Joker is known to disguise itself as a legitimate app to steal money using the user's mobile billing, abusing the android API to automatically subscribe the user in premium SMS services.

The latest versions of Joker are using an open-source development kit called Flutter. Flutter is a Google library and allows to develop native apps for different devices using the same code base. This makes malicious apps built with Flutter to look like a legitimate app to some traditional malware scanners.

Moreover, Joker uses a few other techniques, such as embedding the payload as a .DEX file, obfuscated with a basic encryption or hidden inside an image. The payload is then hosted in legitimate cloud services or on a remote command & control server.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Tarijon de Almeida
Malware Analyst
Appgate

E: felipe.tarijon at appgate.com<mailto:felipe.duarte at appgate.com>
O: +55 11 97467 9549

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/mart/attachments/20210714/d6677d4a/attachment.html>


More information about the MART mailing list