Google faces off against the Joker malware and loses again

Eleven application publishers lost years of effort in user acquisition after the Google Play Store deleted them off for housing a malware within the product

SINGAPORE: Google has removed 11 applications from the Play Store which were infected with malware that invisibly subscribes victims to premium services without their knowledge.

Going by the name Joker, the malware adapts to hide in the essential information file every Android app is required to have.

Aviran Hazum, a researcher at Check Point, told Profit that the Joker malware has evolved to hide malicious code inside what’s called the Android Manifest file of a legitimate application. “Every application must have an Android Manifest file in its root directory,” he said.

“The manifest file provides essential information about an application, such as name, icon, and permissions, to the Android system, which the system must have before it can run any of the application’s code. This way, the malware does not need to access command and control, which is a computer [that is] controlled by a cyber-criminal used to send commands to systems compromised by malware, to download the payload, the portion of the malware which performs the malicious action.”

Hazum said that the protections created by Google for the Play Store are not enough, adding that his team was able to detect numerous cases of Joker uploads on a weekly basis to Google Play, all of which were downloaded by unsuspecting users.

He added that despite Google’s investment in adding Play Store protections, the malware is tricky to detect and that stakeholders should fully expect Joker to adapt again to countermeasures taken.

Instead of waiting for a researcher to find vulnerabilities after application users have been compromised, application publishers have the option to employ ethical hackers that will find gaps for a bug bounty.

Ethical hackers are the reason malware success has slowed down in the past decade due to changes in the InfoSec industry, with some of the best hackers being security engineers that help companies improve their security posture by penetration testing for free.

Yet, with the success of ethical hackers in finding gaps in a site, application, or digital distribution services, the negative stigma surrounding the term hacker creates hesitation in adopting security powered by hackers.

“What started in the darkest underbelly of the internet has turned into a force for good, first as a respectable hobby and as something that talented people could do on the side,” said John Baker, a solutions engineering manager and bug bounty advisor for HackerOne.

“But now it is so much more than that — it’s a professional calling: hackers, pentesters and security researchers who are trusted and respected and providing a valuable service for us all.”

In a poll conducted by HackerOne, Chief Information Security Officers (CISOs) shared the top three challenges faced when adopting hacker-powered security: the scarcity of resources to find vulnerabilities, the reluctance to trust remote hackers as compared to the pen-test surveyors that they hire on-site in their office, and the prospect of slowing down the flow of work which may stifle innovation.

Speaking to Profit, Baker shared that if Agile and DevOps practices continue to be implemented without the corresponding changes to security practices, the pace of development in their organisation outstrips the security team’s resources.

“83 per cent of CISOs see security vulnerabilities as a significant threat to their organization, 45 per cent of CISOs admit pen-testing does not provide sufficient results to keep up in the face of development, [and] only 12 per cent believe that the pen-test is sufficient,” said Baker.

“There is a limit to how many security professionals an organisation can hire on the team. However, when you garner the power of the hacker community, it immediately brings more eyes to your assets. Every five minutes, a hacker reports a vulnerability on the HackerOne platform. In 77 per cent of our programmes, hackers find the first vulnerability in less than 24 hours after the initial launch.”

Baker told Profit that several HackerOne customers have detailed how implementing hacker-powered security saved them an average of almost $400,000 over a period of three years, which reduced internal security and application development efforts.

He said that a big reason for this is that bug bounty programmes take a ‘pay for results’ approach instead of a ‘pay for effort’ model. In this way, efforts are not duplicated just for the sake of compliance reporting.

“57 per cent of [the] CISOs [we polled] would rather accept the risks of security vulnerabilities than to invite unknown hackers to fix them,” said Baker.

“Only 26 per cent of CISOs are willing to accept bug submissions from the entire hacking community. 54 per cent of CISOs would not be comfortable accepting bug submissions from hackers with a criminal past. If you receive a vulnerability report today through email or LinkedIn or Twitter, you may wonder, ‘who is the sender?’ – it’s just an email address, usually associated with a Gmail account. Maybe the English language isn’t perfect. Then you wonder, how seriously should I take this?”

Daily data breaches and vulnerabilities exploited are not uncommon in the news. Putting a property on the internet will result in thousands of attacks, regardless of whether a bug bounty programme is inviting it or otherwise.

Smart companies are proactive, such as Sony, which announced its bug bounty programme in June for the Playstation – months ahead of the launch for the latest version of the console.

Sean Yeoh, an engineering lead at Assetnote, recently earned a $3,000 in bug bounty from Microsoft after discovering a mechanism to take over Microsoft Azure DevOps accounts using just one click.

Sam Curry, a security researcher, was awarded $4,000 by Starbucks for exposing a security flaw in the back-end web infrastructure that could have potentially leaked the records of up to 100 million customers of the coffee chain.

“With bug bounty, testing is continuous, ongoing, and mirrors the software development lifecycle,” said Baker.

“Data from bug bounty programmes can help aid innovation, speed up processes, and give development teams a better handle on what vulnerabilities are likely to be introduced; therefore speeding up successful delivery rather than slowing it down.”

This is why companies such as Spotify and Shopify use hacker-powered security to help aid innovation and inform development teams on what vulnerabilities are likely to be introduced. There is no faster way to find vulnerabilities than working with ethical hackers and compensating accordingly for the results.

Babar Khan Javed
Babar Khan Javed
Babar Khan Javed covers the advertising industry and marketing function in Pakistan for Profit. He can be reached on [email protected] with details about media, creative, and digital briefs, future projects, management changes, client wins or losses, and everything in between.

Must Read

Chinese ADM Group announces $350m investment to boost Pakistan’s EV sector

Investment to establish over 3,000 charging stations and a manufacturing plant, supporting Pakistan’s green energy transition