Two Android apps available on the Google Play store have been found to contain malware this week.These apps are called ‘Smart TV remote’ and ‘Halloween Coloring’, with the former having been downloaded over at least 1,000 times.
The threat actors behind the Joker malware hide malicious code in seemingly benign apps and publish these to official app stores. Earlier this year, over 500,000 Huawei Android devices were found to be infected with Joker.
To better analyze the malicious code, Android apps has been decompiled. The malicious code exists in the “resources/assets/kup3x4nowz” file within the Smart TV remote app. For the Halloween Coloring app, an identical file named “q7y4prmugi” exists at the same location.
These files contain base64 code, shown below, packing a Linux ELF binary:
This ELF binary further downloads second-stage payload hosted on an Amazon AWS instance. The URLs contained in the ELFs to second-stage payload
These files yr41ajkdp5 and vl39sbv02d being XOR-encrypted themselves, are not detected by any of the leading antivirus engines thus far.
Decoding these files with an XOR key ‘0x40’ however, produces APK archives. In essence, the quasi-benign ‘Smart TV remote’ and ‘Halloween Coloring’ apps are a front for downloading malicious apps onto your Android devices.
Google Play Protect checks apps when you install them. It also periodically scans your device. If it finds a potentially harmful app, it might send you a notification.disable the app until you uninstall it, [or] remove the app automatically.