For the last three years, Joker Trojan is making its way on Google Play Store. Quick Heal Security Labs recently spotted 8 Joker malware on Google Play Store and reported them to Google, which has now removed all the applications.
Fig. 1 Screenshots of Applications from Google Play Store
Joker is a spyware Trojan that steals the victim’s device like SMS messages, contact list, and device info. Then, it silently interacts with advertisement websites and subscribes the victim to premium services without their knowledge. In January, we have reported similar samples to Google and published a blog on the same.
At launch, this application asks for notification access, which is used to get notification data. This application takes SMS data from notifications, asks for Contacts access, and makes and manages phone call permission. After that, it is working like a document scanner application without showing any visible malicious activity to the user.
Fig. 2 Permissions asked by Application
But in the background, it downloads two payloads, one after the other. The first payload is downloaded from a Bitly short URL link, which is present in the original application from Google Play Store. See fig. 3 This application has link “h**p://bit[.]ly/3hT17RL”. Then this payload further downloads the next payload from the link – “h**p://skullali[.]oss-me-east 1[.]aliyuncs.com/realease.mp3”. This payload is nothing but malicious joker malware.
Fig. 3 Payload downloading flow
This final payload releases the .mp3 file, which contains code for notification access (Ref. Fig. 4), and the onReceive method (Ref. Fig. 5), which collects received SMS data.
Fig. 4 Code for notification access
Fig. 5 Implementation of onReceive method
It also checks for the SIM provider’s country code. If this code starts with “520,” i.e., if Sim providers country is Thailand, it subscribes the user to premium services as shown in Fig.5.
Fig.6 Code for subscription
Malware authors spread these malware applications on the Google Play Store in scanner applications, wallpaper applications, message applications. These types of applications can quickly become a target. Users should try to avoid such applications and use such kinds of applications only from trusted developers.