Windows malware uses legitimate P2P network to hide Watch Now

A new malware campaign has managed to infiltrate the official Google Play store to deploy the Joker Trojan to Android devices in a bid to conduct ad fraud.

Last week, security researcher Aleksejs Kuprins from cybersecurity threat intelligence firm CSIS Security Group said the surge of malicious activity has been tracked in recent weeks, leading to the discovery of 24 Android applications containing the malware.

In total, the applications -- made available through Google Play -- have been installed over 472,000 times by unwitting Android handset owners.

The malicious applications contained a Trojan dubbed Joker by the cybersecurity firm, a name that references one of the domain names connected to the operator's command-and-control (C2) server.

See also: Author of multiple IoT botnets pleads guilty

Joker attempts to remain silent and undetected on infected devices by making use of as little JavaScript code as possible and locking down its code through obfuscation techniques. In many cases, the malware has been integrated within advertising frameworks linked to its malicious apps.

The malicious code contains the usual list of Trojan functions including the theft of SMS messages, contact information, and device data, and constantly pings its C2 for commands. However, Joker goes further by attempting to generate profit for its operator through fraudulent advertising activity.

Joker is able to interact with ad networks and websites by simulating clicks and silently signing up victims for premium services. In one example, Joker signed up users in Denmark for a premium website service costing roughly 7 euros a week by simulating clicks on the website, automatically entering the operator's offer codes, and extracting confirmation codes from SMS messages sent to the target device. These codes are then submitted to the ad website to complete the process.

In other cases, the malware may simply send SMS messages to premium numbers.

CNET: Clerk uses photographic memory to steal credit card info from 1,300 customers

Each fraudulent 'job' is received from the C2 and once premium service signups are complete, Joker informs the C2 and awaits further instructions.

Joker's operators focus on 37 specific countries as targets, including China, the UK, Germany, France, Singapore, and Australia. Many of the infected apps found by the researchers contain a list of Mobile Country Codes (MCC) and the SIM card on an infected device has to relate to acceptable MCC for Joker to execute.

Most of these applications will not deploy the malware if users are in the United States or Canada; however, a handful of them do not contain any country restrictions.

TechRepublic: How to sign into your Microsoft Account website without a password

When it comes to Joker's attribution, nothing has been set in stone, but the interface of the C2's administration panel and some of the bot's coding indicate that the developers of the malware could be Chinese.

While the number of installs is relatively high, without the need for disclosure from the researchers, Google has detected and removed all of the malicious apps from Google Play. Malware creeping into official app repositories is a constant challenge, but in this case, the CSIS Security Group says the tech giant "seems to be on top of this threat as much as it is possible."

ZDNet has reached out to Google for comment and will update if we hear back.

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0