JuiceChecker-3PC: Introduces New Technique to Escape Malware Detection and Infect Millions of Smartphones

Mobile phone battery level

Authored by Michael Bittner, Digital Security & Operations Manager

Three global demand side platform (DSP) providers were the recent targets of a malicious campaign involving third party code that enables smart malware delivery. The bad actor behind the campaign has been seen in millions of page views within the past three weeks. In this Incident, the malware was inserted into creative posing as a legitimate ad for one of the largest department store retailers in the US. The Media Trust Digital Security & Operations (DSO) team was able to identify the malicious code and work with the DSPs to shut down the malware sources.

The malware, referred to as JuiceChecker-3PC by DSO, used Base64 encoding to bypass scanning, and would check for three distinct conditions that, when met, would trigger the redirection of the unsuspecting ad viewer to a malicious site. The conditions were:

  1. Whether the user agent is mobile-specific
  2. Whether the battery level falls between 20%-76%
  3. Whether the referrer is specified

The DSP often sees checks for user agent, device position or orientation, device motion, screen size, processor, etc. Checking for battery level range is unique and underscores the malware developer’s insights into how certain scanners work and how to avoid their detection. The DSO was able to identify the malware using a combination of scanning algorithms and behavioral analysis.

Given this malware’s level of encoding, most blockers and conventional scanning techniques continue to let the malware pass through and impact millions of site and mobile app users. Nipping the attacks in the bud is particularly important given the explosion of malicious ads in the digital ad supply chain and the millions of shoppers who use their devices to browse and make transactions online.