Access to Innovation
Access to Capital
Access to Talent
Access to Market
Access to Knowledge
Date Trend snippet:
13 May 2021
Relevance date:
2020, 2021
Type of Treath or Oppertunity
Domain of application
Source of threat
Victim
Trends in Security
Trends in Security Information
The HSD Trendmonitor is designed to provide access to relevant content on various subjects in the safety and security domain, to identify relevant developments and to connect knowledge and organisations. The safety and security domain encompasses a vast number of subjects. Four relevant taxonomies (type of threat or opportunity, victim, source of threat and domain of application) have been constructed in order to visualize all of these subjects. The taxonomies and related category descriptions have been carefully composed according to other taxonomies, European and international standards and our own expertise.
In order to identify safety and security related trends, relevant reports and HSD news articles are continuously scanned, analysed and classified by hand according to the four taxonomies. This results in a wide array of observations, which we call ‘Trend Snippets’. Multiple Trend Snippets combined can provide insights into safety and security trends. The size of the circles shows the relative weight of the topic, the filters can be used to further select the most relevant content for you. If you have an addition, question or remark, drop us a line at info@securitydelta.nl.
visible on larger screens only
Please expand your browser window.
Or enjoy this interactive application on your desktop or laptop.
Android Joker malware growing in volume
Android users find themselves in the middle of an arms race between Google (which owns the Android platform and its primary Google Play Store) and malware creators who want their malware listed for download on the Google Play Store. Google has spent years on a system designed to inspect source code of Android apps submitted for inclusion in the Google Play Store, in search of chunks of code that indicate a malicious intent or an undesirable outcome for an Android user. Malware app developers have had to work
hard to evade the Google Play Store code checks. Joker, aka Bread, is a premium SMS and billing fraud app, one of the more successful examples of a malware family that has evolved to evade these code checks. Google has removed thousands of these
Joker-modified malicious apps from the Google Play Store since last year, when researchers first discovered it. Despite the amount of effort put in to getting rid of the malware, Joker keeps bouncing back.
hard to evade the Google Play Store code checks. Joker, aka Bread, is a premium SMS and billing fraud app, one of the more successful examples of a malware family that has evolved to evade these code checks. Google has removed thousands of these
Joker-modified malicious apps from the Google Play Store since last year, when researchers first discovered it. Despite the amount of effort put in to getting rid of the malware, Joker keeps bouncing back.
More source info
Android users find themselves in the middle of an arms race between Google (which owns the Android platform and its primary Google Play Store) and malware creators who want their malware listed for download on the Google Play Store. Google has spent years on a system designed to inspect source code of Android apps submitted for inclusion in the Google Play Store, in search of chunks of code that indicate a malicious intent or an undesirable outcome for an Android user. Malware app developers have had to work hard to evade the Google Play Store code checks. Joker, aka Bread, is a premium SMS and billing fraud app, one of the more successful examples of a malware family that has evolved to evade these code checks. Google has removed thousands of these Joker-modified malicious apps from the Google Play Store since last year, when researchers first discovered it. Despite the amount of effort put in to getting rid of the malware, Joker keeps bouncing back. Joker appears in the guise of a wide range of different apps: utilities and tools, wallpapers, translators, messaging services – just many clones of popular apps. Remember, Joker may actually be embedded in an app that looks and works exactly like the real version of almost any app you use. The Joker apps just have a little extra malware code buried deep, in one of the third-party libraries app makers routinely compile into their apps for a variety of legitimate reasons. There are a few reasons why Joker manages a successful evasion of Google Play Store security code checks time and time again: 1. The malicious apps use obfuscation, from simple string substitution to complex commercial packers, to slow analysis and fool the Google Play Store. 2.When the Joker “developer” launches the app, it contains absolutely no malicious code. This establishes a history where the app that comes into Google Play Store is clean. Only later does the malicious code appear in the app, following an update. 3.The app either decrypts its payload at runtime or downloads it dynamically, later. Joker malware uses native code (JNI) instead of the more common DEX. Native code uses C for programming, which slows down the analysis of malicious code. By comparison, DEX, being a variation on Java code, is much easier to decompile into something human-readable. The malware uses this JNI code for sending SMS messages, to make money and as one way of contacting its command-and-control network. The use of JNI and out-of-band signalling over the phone network instead of the internet may help Joker evade automated dex scanners that don’t speak JNI. Joker clearly has developed an edge in the battle against Google’s automated code review on new apps, and we see no sign that Joker will slow down in 2021 and may be joined by competitors before long.
