Joker Malware Threat Intel Advisory

Summary

CloudSEK Threat Intelligence Advisory on Joker malware, masquerades as legitimate mobile apps on Google Play store infecting Android devices.
Type
Advisory
Category
Malware
Target Platform
Mobile Devices/ Android
  Joker malware/ trojan, dubbed Bread, targets Android mobile users. It masquerades as legitimate mobile applications on Google Play store, but after its installation it conducts various malicious activities including data exfiltration.  Joker has the ability to make automated interactions, by which it simulates user clicks on anything it wants leading to unauthorized user interaction. The infected applications contain a list of Mobile Country Codes (MCC), and the second stage payload delivery is based on the victim's SIM card using one of the listed country codes. EU and Asian regions are the prime targets of this trojan. Here is a list of victim nations:
  • Australia
  • Austria
  • Belgium
  • Brazil
  • China
  • Cyprus
  • Egypt
  • France
  • Germany
  • Ghana
  • Greece
  • Honduras 
  • India
  • Indonesia
  • Ireland
  • Italy
  • Kuwait
  • Malaysia
  • Myanmar
  • Netherlands
  • Norway
  • Poland
  • Portugal
  • Qatar
  • Republic of Argentina
  • Serbia
  • Singapore
  • Slovenia
  • Spain
  • Sweden
  • Switzerland
  • Thailand
  • Turkey
  • Ukraine
  • United Arab Emirates
  • United Kingdom
  • United States
The trojan has a command & control (C2) channel through which commands and data are sent. It is designed in a job-scheduler fashion, i.e. it periodically requests new commands from the C&C server. Given below are some key functionalities that are in-built in Joker:
  • SMS extraction/ OTP extraction
  • Multi-staged operation
  • Unauthorized user interaction 
  • Money stealing
  • JavaScript command injection
  • Phone book contact extraction
Joker can hide within the advertisement frameworks, without exposing too much of its malicious code out in the open, which helps the malware evade detection. The different stages of payload delivery is as given below:
  • Initial loading is done via a Joker Initialization Component, which is inserted in the advertisement frameworks of legitimate applications.
  • After initialization, the malware will download AES encrypted configuration from the C2 server. And at the beginning of the second stage, a specially crafted string is sent to the C2 server for payload extraction. 
  • Eventually Joker will download the malware kit, a dex file, on the completion of the second stage.
  • Dynamic loading of dex files are implemented to minimize Joker’s fingerprints on the device.

Impact

Technical Impact
  • Malware makes subscriptions to premium services on behalf of the users.
  • Grabs text messages for OTP stealing.
  • Malware has the ability to interact with permission prompts without  user’s consent making unauthorized approvals on client’s behalf to install additional tools.
  • It is capable of extracting contacts from the phone, compromising the privacy of users.
  • Command injection lets malware access filesystems and exfiltrate user data.
  • Steals user form data to obtain credit card information.
Business Impact
  • Compromise of critical employee data via mobile attacks gives attackers access to enterprise networks.
  • Nation states target mobile platforms to carry out espionage attacks against large businesses and critical infrastructures.

Mitigations

  • Remove all the applications mentioned in the section ‘Indicators of Compromise’ below.
  • Check credit card bills/ account statements.
  • Install an EDR solution for your mobile phone.

Indicators of Compromise

First stage (payload distribution) C&C: 
http://3.122.143[.]26/
Main C&Cs:
http://joker2.dolphinsclean[.]com/ http://beatleslover[.]com/ http://47.254.144[.]154/
Second stage binaries (Core):
https://s3.amazonaws.com/media.site-group-df[.]com/s8-release https://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/s8–5-release https://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/s8-5-dsp-release https://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/s8-all https://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/s9-3-sendsms https://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/s9–6-release https://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/s9–6–2-release https://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/s9-6-3 https://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/Y12-all-no-log https://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/Y12-no-log https://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/Y13-all https://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/Y13-all-v2-no-log
Unpacked second stage of the build "Y13-all-v2-no-log" SHA256: 
a7dc4238682147012751bb853001b053527ca8031a624bbd5db1a77a3e563ead
Loader YARA rule:
 
rule android_joker {     

    strings:

        $c = { 52656D6F746520436C6F616B } // Remote Cloak

        $cerr = { 6E6574776F726B2069737375653A20747279206C61746572 } // network issue: try later

        $net = { 2F6170692F636B776B736C3F6963633D } // /api/ckwksl?icc=

        $ip = { 332E3132322E3134332E3236 } // 3.122.143.26     

    condition:

        ($c and $cerr) or $net or $ip 

}

Infected Android Apps

  SHA256: b36fbe6b75f00ae835156185ca5d6955cdfbe410d73c3e5653dabbaff260f166 Package Name: com.with.nofear.myheart Installs: 100,000+ Loader Path: com.startapp.android.publish MCC Config: 262_202_460_268_520_502_424_510_414_232_204_222_272_427_228_214   SHA256: 718210a0c41160240843711d79f2757548e72934e996b0e16a2b2277369d366b Package Name: com.certain.icdesktop.wallpaper Installs: 100,000+ Loader Path: com.tohsoft.wallpaper.ui.details.basics MCC Config: unknown_262_202_460_268_520_502_424_510_414_232_204_222_272_427_228_214   SHA256: 81d784ee65a8dc113683cd7cc271a36da275a500621cefa187095951af3a5114 Package Name: com.building.castle.bster Installs: 50,000+ Loader Path: com.startapp.android.publish MCC Config: 620_708_208_427_310_262_202_460_268_520_502_424_510_414_232_204_222_228_272_240_724_404_722_505_206_280_214_208_234_419_260_220_525_293_286   SHA256: 2d9a7d75227c3332591e1af5a2f2223eec3328c75c95dea9a33ea269200faf38 Package Name: com.futureage.facelook Installs: 50,000+ Loader Path: com.startapp.android.publish MCC Config: 262_202_460_268_520_502_424_510_414_232_204_222_272_427_228_214   SHA256: 1e724a5af76927106ee92421412af62698707d1d44a9891f91b3c6902f1780cd Package Name: com.comeback.myside.sms Installs: 50,000+ Loader Path: com.blur.blurphoto.view MCC Config: 242_620_708_208_427_310_262_202_460_268_520_502_424_510_414_232_204_222_228_272_240_724_404_722_505_206_280_214_208_234_419_260_220_525_293_286   SHA256: 69d94f94233a2e42d49eeafaea7bf2aad86671cdaf3be45b00ff3de624d7e883 Package Name: com.sybo.ggp.cam Installs: 10,000+ Loader Path: com.startapp.android.publish MCC Config: 262_202_460_268_520_502_424_510_414_232_204_222_272_427_228_214   SHA256: e44f514c7729a6c39700db6ac51c817c77741e19178f8942c2d26f6b62ef9df5 Package Name: com.declare.smsarr.message Installs: 10,000+ Loader Path: com.messages.messenger.chat.list   SHA256: 226e9c5ca45facb9b9a36529e09958546c4b351f4b7ae02101f8e3c1d6e3de7b Package Name: com.change.nicephoto Installs: 10,000+ Loader Path: com.blur.blurphoto.view. MCC Config: 242_620_708_208_427_310_262_202_460_268_520_502_424_510_414_232_204_222_228_272_240_724_404_722_505_206_280_214_208_234_419_260_220_525_293_286   SHA256: 6261be516a54d8566348b8305e96f34bdbf4f11620350c5f36f4bc3cb67fc181 Package Name: com.rapidface.smart.scanner Installs: 10,000+  Loader Path: com.fungo.constellation.common.ball MCC Config: unknown_262_202_460_268_520_502_424_510_414_232_204_222_272_427_228_214   SHA256: 43b36c438a3531e42623fbd00f5b57066a4db8048ce8e0ab0b5ecf9eac67aabf Package Name: com.burning.rockn.scan Installs: 10,000+ Loader Path: com.startapp.android.publish MCC Config: 620_708_208_427_310_262_202_460_268_520_502_424_510_414_232_204_222_228_272_240_724_404_722_505_206_280_214_208_234_419_260_220_525_293_286   SHA256: da2171a32f3b95620c35a48a34fb7293a321ab41266d3461f808b2f07694e5a7 Package Name: com.board.picture.editing Installs: 10,000+ Loader Path: com.color.black.filter MCC Config: unknown_460_262_520_202_222_427_232 SHA256: 494c8c6155a08ae95a2f1962636911310c98d36f065e81eddf4ffcb172913495 Package Name: com.cute.hd4kcam.camera Installs: 10,000+ Loader Path: com.facebook.appevents.camera.pics MCC Config: unknown_262_202_460_268_520_502_424_510_414_232_204_222_272_427_228_214   SHA256: a8bf4055a4988ee181be9915c93c6278503be562475a558aef3c6dba54e06b13 Package Name: com.wallpapers.dazzle.gp Installs: 10,000+ Loader Path: com.startapp.android.publish MCC Config: 262_202_460_268_520_502_424_510_414_232_204_222_272_427_228_214   SHA256: befde4166a9cdf2ff7c8f81fb5dec6a6760d20e0debbc667a8274899a248ef31 Package Name: com.cantwait.ezlife.wallpaper Installs: 10,000+ Loader Path: com.startapp.android.publish MCC Config: 620_708_208_427_310_262_202_460_268_520_502_424_510_414_232_204_222_228_272_240_724_404_722_505_206_280_214_208_234_419_260_220_525_293_286   SHA256: b631b2254850e62804fc66895850dcbf007d670aa843af8d2e525c85947da2d4 Package Name: com.Climate.sms Installs: 10,000+ Loader Path: com.color.black.filter MCC Config: unknown_620_708_208_427_310_262_202_460_268_520_502_424_510_414_232_204_222_228_272_240_724_404_722_505_206_280_214_208_234_419_260_220_525_293_286   SHA256: 2e3bff9dda4c568a5e12c2f468227ec8dc5baf9913fe573f02ef2d5432b37bc0 Package Name: com.xw.supervpnfree Installs: 5,000+ Loader Path: org.greenrobot.eventbus.util MCC Config: 242_620_708_208_427_310_262_202_460_268_520_502_424_510_414_232_204_222_228_272_240_724_404_722_505_206_280_214_208_234_419_260_220_525_293_286   SHA256: 9b4a1b7c638be029f0ffcb92dcfac74052f41fc36d43a45f6aa80d20d1285646 Package Name: com.vegtable.blif.camera Installs: 5,000+ Loader Path: com.startapp.android.publish   SHA256: 5405e39dbde78e3b561a6e54f208ce557f04bdbdc363ea6442892d26ba91811e Package Name: com.print.plant.scan Installs: 5,000+ Loader Path: com.plantfinder.identification.ui.inner MCC Config: unknown_262_202_460_268_520_502_424_510_414_232_204_222_272_427_228_214   SHA256: 65135899349daca2646ca36c5a442382bc988f5b3749a2bd5322170d777af77a Package Name com.saying.wallpaper.bb Installs: 5,000+ Loader Path: com.startapp.android.publish MCC Config: 262_202_460_268_520_502_424_510_414_232_204_222_272_427_228_214   SHA256: 54aba1530d829c71b2410c06628de034e38bc52be3002f82cc771c219d91958d Package Name: com.hampi.sender Installs: 1,000+ Loader Path: com.color.black.filter MCC Config: unknown_620_708_208_427_310_262_202_460_268_520_502_424_510_414_232_204_222_228_272_240_724_404_722_505_206_280_214_208_234_419_260_220_525_293_286   SHA256: 27450c3c735dc3dcba9254a3b08ed22bbcde8631343cb70107d4e41e17fbb548 Package Name: com.Ignite.amino.clean (still up!) Installs: 1,000+ Loader Path: com.alc.coolermaster.activity.create MCC Config: 242_620_708_208_427_310_262_202_460_268_520_502_424_510_414_232_204_222_228_272_240_724_404_722_505_206_280_214_208_234_419_260_220_525_293_286_602_255   SHA256: 162ee177dea9b94366063de63dffd97f92f7a50e0e429d54fea73dc3a52f1b3a Package Name: com.anti.mysecurity Loader Path: org.greenrobot.eventbus.util MCC Config: 242_620_708_208_427_310_262_202_460_268_520_502_424_510_414_232_204_222_228_272_240_724_404_722_505_206_280_214_208_234_419_260_220_525_293_286   SHA256: f165e04ee6ec84a2e57108c0f7e157a5dc1158fb38a161e5cfcde89476838c09 Package Name: com.hello.sweetangle.horoscope Loader Path: com.mopub.common.boost   SHA256: 0eba66cda54c732645ca69949882097c2f2e69dff917e8834b6636ef00848772 Package Name: com.tr.rushphoto Loader Path: com.mopub.common.boost

Table of Contents

Request an easy and customized demo for free