Google Play store applications laced with Joker malware yet again

Fresh Joker Malware Variant Targeting Android Users

For the last three years, Joker Trojan is making its way on Google Play Store. Quick Heal Security Labs recently spotted 8 Joker malware on Google Play Store and reported them to Google, which has now removed all the applications.

Fig. 1 Screenshots of Applications from Google Play Store

Joker is a spyware Trojan that steals the victim’s device like SMS messages, contact list, and device info. Then, it silently interacts with advertisement websites and subscribes the victim to premium services without their knowledge. In January, we have reported similar samples to Google and published a blog on the same.

Let’s see the working of one of the applications-

  • Application name: Element Scanner
  • Developer name: Obrien Connie
  • Download Count: 10K+

 

At launch, this application asks for notification access, which is used to get notification data. This application takes SMS data from notification, asks for Contacts access, and makes and manages phone call permission. After that, it is working like a document scanner application without showing any visible malicious activity to the user.

Fig. 2 Permissions asked by Application

But in the background, it downloads two payloads, one after the other. The first payload is downloaded from a Bitly short URL link, which is present in the original application from Google Play Store. See fig. 3 This application has link “h**p://bit[.]ly/3hT17RL”. Then this payload further downloads the next payload from the link – “h**p://skullali[.]oss-me-east 1[.]aliyuncs.com/realease.mp3”. This payload is nothing but malicious joker malware.

Fig. 3 Payload downloading flow

This final payload releases the .mp3 file, which contains code for notification access (Ref. Fig. 4), and the onReceive method (Ref. Fig. 5), which collects received SMS data.

Fig. 4 Code for notification access 

Fig. 5 Implementation of onReceive method

It also checks for the SIM provider’s country code. If this code starts with “520,” i.e., if Sim providers country is Thailand, it subscribes the user to premium services as shown in Fig.5.

Fig.6 Code for subscription

Malware authors spread these malware applications on the Google Play Store in scanner applications, wallpaper applications, message applications. These types of applications can quickly become a target. Users should try to avoid such applications and use such kinds of applications only from trusted developers.

 

IOC:

MD5  Detection Name 
05710c8525f31535eb7338653429b1fa  Android.Joker.Aad66 
9add1126cd52900c06ce4fe58ffc5f25  Android.Jocker.Abd79 
4705ce82dd8a969139f07b9576715dca  Android.Agent.Aed3f 
17c9de7d2a62fb0ed640fd2a348d6ffd  Android.Joker.Af409 
e4caf7c6a04139326d34bdb9b7282b00  Android.Agent.Aec9e 
6b11d98e9713b3f3a53e201394c1247b  Android.Joker.Af408 
995caba3370a6df5e73790d3461811e9  Android.Joker.Af406 
dfe73757188ebe9d10aded37b349400b  Android.Joker.Af407 

 

C2 server:

  • hxxp://buckts[.]oss-me-east-1[.]aliyuncs[.]com
  • hxxp://wter[.]oss-us-east-1[.]aliyuncs[.]com/
  • hxxp://skullali[.]oss-us-east-1[.]aliyuncs[.]com/
  • hxxp://161.117.46.64/svhyqj/mjcxzy
  • hxxp://suanleba[.]oss-us-west-1[.]aliyuncs[.]com
  • hxxps://new-sk.]oss-ap-southeast-1.]aliyuncs.]com
  • hxxp://517-1305586011.]cos.]na-toronto.]myqcloud.]com/b2

 

Tips to stay safe

  • Download applications only from trusted sources like Google Play Store.
  • Learn how to identify fake applications in Google Play Store.
  • Do not click on alien links received through messages or any other social media platforms.
  • Turn off installation from the unknown source option.
  • Read the pop-up messages you get from the Android system before accepting/allowing any new permissions.
  • Malicious developers spoof original application names and developer names. So, make sure you are downloading simple applications only. Often application descriptions contain typos and grammatical mistakes. Check the developer’s website if a link is available on the application’s webpage. Avoid using it if anything looks strange or odd.
  • Reviews and ratings can be fake but still reading user reviews of the application, and the experience of existing users can be helpful. Pay attention to reviews with low ratings.
  • Check download count of the application — popular applications have very high download counts. But do note that some fake applications have been downloaded thousands or even millions of times before they were discovered.
  • Avoid downloading applications from third-party application stores or links provided in SMSs, emails, or WhatsApp messages. Also, avoid installing applications that are downloaded after clicking on an advertisement.
  • Use a trusted antivirus like Quick Heal Mobile Security to stay safe from Android malware.
Digvijay Mane

Digvijay Mane

Follow @dvjmane19

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x