[ad_1]
Two Android apps out there on the Google Play retailer have been discovered to include malware this week.
These apps are referred to as ‘Good TV distant’ and ‘Halloween Coloring’, with the previous having been downloaded over at the least 1,000 instances.
Good TV distant app packs ‘Joker’ malware
This week, Tatyana Shishkova, Android malware analyst at Kaspersky disclosed the names of two Google Play apps which can be laced with Joker malware.
Not less than considered one of these apps, ‘Good TV distant’ has been put in over 1,000 instances up to now since its publication on October twenty ninth.
In keeping with Shishkova, these apps are trojanized with the Joker malware:
#Joker Android Trojans on Google Play:https://t.co/jxJWbe8AH0 Oct 29, 1,000+ installshttps://t.co/UmLssAqBF7 Nov 5, 1+ installs pic.twitter.com/wVLY4yI4Kz
— Tatyana Shishkova (@sh1shk0va) November 10, 2021
As beforehand reported by BleepingComputer, the menace actors behind the Joker malware cover malicious code in seemingly benign apps and publish these to official app shops. Earlier this yr, over 500,000 Huawei Android gadgets had been discovered to be contaminated with Joker.
The malware is understood to subscribe customers to premium cellular companies with out their consent or data.
Obfuscated code packs ELFs and downloads APKs
To raised analyze the malicious code, BleepingComputer obtained the Android apps and decompiled these APKs.
As additionally confirmed by Shishkova, the malicious code exists within the “assets/property/kup3x4nowz” file throughout the Good TV distant app. For the Halloween Coloring app, an equivalent file named “q7y4prmugi” exists on the identical location.
These information include base64 code, proven beneath, packing a Linux ELF binary:
Base64 packed ELF contained in the malicious Android app (BleepingComputer)
This ELF binary additional downloads second-stage payload hosted on an Amazon AWS occasion. The URLs contained within the ELFs to second-stage payload are:
Good TV distant app: https://50egvllxk3.s3.eu-west-3.amazonaws[.]com/yr41ajkdp5Halloween Coloring app: https://nwki8auofv.s3.sa-east-1.amazonaws[.]com/vl39sbv02d
Second stage payload downloaded from an AWS server (BleepingComputer)
As checked by BleepingComputer, these information yr41ajkdp5 and vl39sbv02d being XOR-encrypted themselves, are usually not detected by any of the main antivirus engines up to now.
Decoding these information with an XOR key ‘0x40’ nonetheless, produces APK archives. In essence, the quasi-benign ‘Good TV distant’ and ‘Halloween Coloring’ apps are a entrance for downloading malicious apps onto your Android gadgets.
Final month, malicious “photograph editor” apps had been additionally caught sitting on the Google Play retailer by Shishkova and Maxime Ingrao, a safety researcher at cellular funds cybersecurity agency Evina.
BleepingComputer has reported the malicious ‘Good TV distant’ and ‘Halloween Coloring’ apps to Google Play previous to publishing, and we’re awaiting Google’s response.
It’s believable, Google Play Shield would possibly ultimately catch these apps and supply computerized safety to affected customers, regardless of the preliminary miss main to the apps’ publication on Play retailer.
“Google Play Shield checks apps whenever you set up them. It additionally periodically scans your system. If it finds a probably dangerous app, it’d ship you a notification,… disable the app till you uninstall it, [or] take away the app mechanically,” state Google’s official docs.
Within the meantime, customers who’ve put in both of those apps ought to uninstall the app instantly, clear up their smartphone, and verify for any unauthorized subscriptions or billing exercise initiated from their accounts.
[ad_2]