Hackers and Google Play have been caught up in a tense dance over the past decade. The hackers sneak malware into the Google-owned Android app repository. Google throws it out and develops defenses to prevent it from happening again. Then the hackers find a new opening and do it all over again. This two-step has played out again, this time with a malware family known as the Joker, which has been infiltrating Play since at least 2017.
The Joker is malicious code that lurks inside seemingly legitimate apps. It often waits hours or days after the app is installed to run in an attempt to evade Google’s automated malware detection. On Thursday, researchers with security firm Check Point said the Joker has struck again, this time lurking in 11 seemingly legitimate apps downloaded from Play about 500,000 times. Once activated, the malware allowed the apps to surreptitiously subscribe users to pricey premium services.
The new variant found a new trick to go undetected—it hid its malicious payload inside what’s known as the manifest, a file Google requires every app to include in its root directory. Google’s intent is for the XML file to provide more transparency by making permissions, icons, and other information about the app easy to find.