Type
|
Advisory |
Category
|
Malware |
Target Platform
|
Mobile Devices/ Android |
Joker malware/ trojan, dubbed Bread, targets Android mobile users. It masquerades as legitimate mobile applications on Google Play store, but after its installation it conducts various malicious activities including data exfiltration.
Joker has the ability to make automated interactions, by which it simulates user clicks on anything it wants leading to unauthorized user interaction. The infected applications contain a list of Mobile Country Codes (MCC), and the second stage payload delivery is based on the victim's SIM card using one of the listed country codes. EU and Asian regions are the prime targets of this trojan. Here is a list of victim nations:
- Australia
- Austria
- Belgium
- Brazil
- China
- Cyprus
- Egypt
- France
- Germany
- Ghana
- Greece
- Honduras
- India
- Indonesia
- Ireland
- Italy
- Kuwait
- Malaysia
- Myanmar
- Netherlands
- Norway
- Poland
- Portugal
- Qatar
- Republic of Argentina
- Serbia
- Singapore
- Slovenia
- Spain
- Sweden
- Switzerland
- Thailand
- Turkey
- Ukraine
- United Arab Emirates
- United Kingdom
- United States
The trojan has a command & control (C2) channel through which commands and data are sent. It is designed in a job-scheduler fashion, i.e. it periodically requests new commands from the C&C server. Given below are some key functionalities that are in-built in Joker:
- SMS extraction/ OTP extraction
- Multi-staged operation
- Unauthorized user interaction
- Money stealing
- JavaScript command injection
- Phone book contact extraction
Joker can hide within the advertisement frameworks, without exposing too much of its malicious code out in the open, which helps the malware evade detection. The different stages of payload delivery is as given below:
- Initial loading is done via a Joker Initialization Component, which is inserted in the advertisement frameworks of legitimate applications.
- After initialization, the malware will download AES encrypted configuration from the C2 server. And at the beginning of the second stage, a specially crafted string is sent to the C2 server for payload extraction.
- Eventually Joker will download the malware kit, a dex file, on the completion of the second stage.
- Dynamic loading of dex files are implemented to minimize Joker’s fingerprints on the device.
Impact
Technical Impact
- Malware makes subscriptions to premium services on behalf of the users.
- Grabs text messages for OTP stealing.
- Malware has the ability to interact with permission prompts without user’s consent making unauthorized approvals on client’s behalf to install additional tools.
- It is capable of extracting contacts from the phone, compromising the privacy of users.
- Command injection lets malware access filesystems and exfiltrate user data.
- Steals user form data to obtain credit card information.
Business Impact
- Compromise of critical employee data via mobile attacks gives attackers access to enterprise networks.
- Nation states target mobile platforms to carry out espionage attacks against large businesses and critical infrastructures.
Mitigations
- Remove all the applications mentioned in the section ‘Indicators of Compromise’ below.
- Check credit card bills/ account statements.
- Install an EDR solution for your mobile phone.
Indicators of Compromise
First stage (payload distribution) C&C:
http://3.122.143[.]26/
Main C&Cs:
http://joker2.dolphinsclean[.]com/
http://beatleslover[.]com/
http://47.254.144[.]154/
Second stage binaries (Core):
https://s3.amazonaws.com/media.site-group-df[.]com/s8-release
https://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/s8–5-release
https://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/s8-5-dsp-release
https://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/s8-all
https://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/s9-3-sendsms
https://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/s9–6-release
https://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/s9–6–2-release
https://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/s9-6-3
https://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/Y12-all-no-log
https://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/Y12-no-log
https://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/Y13-all
https://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/Y13-all-v2-no-log
Unpacked second stage of the build "Y13-all-v2-no-log" SHA256:
a7dc4238682147012751bb853001b053527ca8031a624bbd5db1a77a3e563ead
Loader YARA rule:
rule android_joker {
strings:
$c = { 52656D6F746520436C6F616B } // Remote Cloak
$cerr = { 6E6574776F726B2069737375653A20747279206C61746572 } // network issue: try later
$net = { 2F6170692F636B776B736C3F6963633D } // /api/ckwksl?icc=
$ip = { 332E3132322E3134332E3236 } // 3.122.143.26
condition:
($c and $cerr) or $net or $ip
}
Infected Android Apps
SHA256: b36fbe6b75f00ae835156185ca5d6955cdfbe410d73c3e5653dabbaff260f166
Package Name: com.with.nofear.myheart
Installs: 100,000+
Loader Path: com.startapp.android.publish
MCC Config: 262_202_460_268_520_502_424_510_414_232_204_222_272_427_228_214
SHA256: 718210a0c41160240843711d79f2757548e72934e996b0e16a2b2277369d366b
Package Name: com.certain.icdesktop.wallpaper
Installs: 100,000+
Loader Path: com.tohsoft.wallpaper.ui.details.basics
MCC Config: unknown_262_202_460_268_520_502_424_510_414_232_204_222_272_427_228_214
SHA256: 81d784ee65a8dc113683cd7cc271a36da275a500621cefa187095951af3a5114
Package Name: com.building.castle.bster
Installs: 50,000+
Loader Path: com.startapp.android.publish
MCC Config: 620_708_208_427_310_262_202_460_268_520_502_424_510_414_232_204_222_228_272_240_724_404_722_505_206_280_214_208_234_419_260_220_525_293_286
SHA256: 2d9a7d75227c3332591e1af5a2f2223eec3328c75c95dea9a33ea269200faf38
Package Name: com.futureage.facelook
Installs: 50,000+
Loader Path: com.startapp.android.publish
MCC Config: 262_202_460_268_520_502_424_510_414_232_204_222_272_427_228_214
SHA256: 1e724a5af76927106ee92421412af62698707d1d44a9891f91b3c6902f1780cd
Package Name: com.comeback.myside.sms
Installs: 50,000+
Loader Path: com.blur.blurphoto.view
MCC Config: 242_620_708_208_427_310_262_202_460_268_520_502_424_510_414_232_204_222_228_272_240_724_404_722_505_206_280_214_208_234_419_260_220_525_293_286
SHA256: 69d94f94233a2e42d49eeafaea7bf2aad86671cdaf3be45b00ff3de624d7e883
Package Name: com.sybo.ggp.cam
Installs: 10,000+
Loader Path: com.startapp.android.publish
MCC Config: 262_202_460_268_520_502_424_510_414_232_204_222_272_427_228_214
SHA256: e44f514c7729a6c39700db6ac51c817c77741e19178f8942c2d26f6b62ef9df5
Package Name: com.declare.smsarr.message
Installs: 10,000+
Loader Path: com.messages.messenger.chat.list
SHA256: 226e9c5ca45facb9b9a36529e09958546c4b351f4b7ae02101f8e3c1d6e3de7b
Package Name: com.change.nicephoto
Installs: 10,000+
Loader Path: com.blur.blurphoto.view.
MCC Config: 242_620_708_208_427_310_262_202_460_268_520_502_424_510_414_232_204_222_228_272_240_724_404_722_505_206_280_214_208_234_419_260_220_525_293_286
SHA256: 6261be516a54d8566348b8305e96f34bdbf4f11620350c5f36f4bc3cb67fc181
Package Name: com.rapidface.smart.scanner
Installs: 10,000+
Loader Path: com.fungo.constellation.common.ball
MCC Config: unknown_262_202_460_268_520_502_424_510_414_232_204_222_272_427_228_214
SHA256: 43b36c438a3531e42623fbd00f5b57066a4db8048ce8e0ab0b5ecf9eac67aabf
Package Name: com.burning.rockn.scan
Installs: 10,000+
Loader Path: com.startapp.android.publish
MCC Config: 620_708_208_427_310_262_202_460_268_520_502_424_510_414_232_204_222_228_272_240_724_404_722_505_206_280_214_208_234_419_260_220_525_293_286
SHA256: da2171a32f3b95620c35a48a34fb7293a321ab41266d3461f808b2f07694e5a7
Package Name: com.board.picture.editing
Installs: 10,000+
Loader Path: com.color.black.filter
MCC Config: unknown_460_262_520_202_222_427_232
SHA256: 494c8c6155a08ae95a2f1962636911310c98d36f065e81eddf4ffcb172913495
Package Name: com.cute.hd4kcam.camera
Installs: 10,000+
Loader Path: com.facebook.appevents.camera.pics
MCC Config: unknown_262_202_460_268_520_502_424_510_414_232_204_222_272_427_228_214
SHA256: a8bf4055a4988ee181be9915c93c6278503be562475a558aef3c6dba54e06b13
Package Name: com.wallpapers.dazzle.gp
Installs: 10,000+
Loader Path: com.startapp.android.publish
MCC Config: 262_202_460_268_520_502_424_510_414_232_204_222_272_427_228_214
SHA256: befde4166a9cdf2ff7c8f81fb5dec6a6760d20e0debbc667a8274899a248ef31
Package Name: com.cantwait.ezlife.wallpaper
Installs: 10,000+
Loader Path: com.startapp.android.publish
MCC Config: 620_708_208_427_310_262_202_460_268_520_502_424_510_414_232_204_222_228_272_240_724_404_722_505_206_280_214_208_234_419_260_220_525_293_286
SHA256: b631b2254850e62804fc66895850dcbf007d670aa843af8d2e525c85947da2d4
Package Name: com.Climate.sms
Installs: 10,000+
Loader Path: com.color.black.filter
MCC Config: unknown_620_708_208_427_310_262_202_460_268_520_502_424_510_414_232_204_222_228_272_240_724_404_722_505_206_280_214_208_234_419_260_220_525_293_286
SHA256: 2e3bff9dda4c568a5e12c2f468227ec8dc5baf9913fe573f02ef2d5432b37bc0
Package Name: com.xw.supervpnfree
Installs: 5,000+
Loader Path: org.greenrobot.eventbus.util
MCC Config: 242_620_708_208_427_310_262_202_460_268_520_502_424_510_414_232_204_222_228_272_240_724_404_722_505_206_280_214_208_234_419_260_220_525_293_286
SHA256: 9b4a1b7c638be029f0ffcb92dcfac74052f41fc36d43a45f6aa80d20d1285646
Package Name: com.vegtable.blif.camera
Installs: 5,000+
Loader Path: com.startapp.android.publish
SHA256: 5405e39dbde78e3b561a6e54f208ce557f04bdbdc363ea6442892d26ba91811e
Package Name: com.print.plant.scan
Installs: 5,000+
Loader Path: com.plantfinder.identification.ui.inner
MCC Config: unknown_262_202_460_268_520_502_424_510_414_232_204_222_272_427_228_214
SHA256: 65135899349daca2646ca36c5a442382bc988f5b3749a2bd5322170d777af77a
Package Name com.saying.wallpaper.bb
Installs: 5,000+
Loader Path: com.startapp.android.publish
MCC Config: 262_202_460_268_520_502_424_510_414_232_204_222_272_427_228_214
SHA256: 54aba1530d829c71b2410c06628de034e38bc52be3002f82cc771c219d91958d
Package Name: com.hampi.sender
Installs: 1,000+
Loader Path: com.color.black.filter
MCC Config: unknown_620_708_208_427_310_262_202_460_268_520_502_424_510_414_232_204_222_228_272_240_724_404_722_505_206_280_214_208_234_419_260_220_525_293_286
SHA256: 27450c3c735dc3dcba9254a3b08ed22bbcde8631343cb70107d4e41e17fbb548
Package Name: com.Ignite.amino.clean (still up!)
Installs: 1,000+
Loader Path: com.alc.coolermaster.activity.create
MCC Config: 242_620_708_208_427_310_262_202_460_268_520_502_424_510_414_232_204_222_228_272_240_724_404_722_505_206_280_214_208_234_419_260_220_525_293_286_602_255
SHA256: 162ee177dea9b94366063de63dffd97f92f7a50e0e429d54fea73dc3a52f1b3a
Package Name: com.anti.mysecurity
Loader Path: org.greenrobot.eventbus.util
MCC Config: 242_620_708_208_427_310_262_202_460_268_520_502_424_510_414_232_204_222_228_272_240_724_404_722_505_206_280_214_208_234_419_260_220_525_293_286
SHA256: f165e04ee6ec84a2e57108c0f7e157a5dc1158fb38a161e5cfcde89476838c09
Package Name: com.hello.sweetangle.horoscope
Loader Path: com.mopub.common.boost
SHA256: 0eba66cda54c732645ca69949882097c2f2e69dff917e8834b6636ef00848772
Package Name: com.tr.rushphoto
Loader Path: com.mopub.common.boost