Joker Malware Threat Intel Advisory

Published on October 16, 2020 | 18:30 PM IST

Share this Advisory:

Type
Advisory
Category
Malware
Target Platform
Mobile Devices/ Android

 

Joker malware/ trojan, dubbed Bread, targets Android mobile users. It masquerades as legitimate mobile applications on Google Play store, but after its installation it conducts various malicious activities including data exfiltration. 

Joker has the ability to make automated interactions, by which it simulates user clicks on anything it wants leading to unauthorized user interaction. The infected applications contain a list of Mobile Country Codes (MCC), and the second stage payload delivery is based on the victim’s SIM card using one of the listed country codes. EU and Asian regions are the prime targets of this trojan. Here is a list of victim nations:

  • Australia
  • Austria
  • Belgium
  • Brazil
  • China
  • Cyprus
  • Egypt
  • France
  • Germany
  • Ghana
  • Greece
  • Honduras 
  • India
  • Indonesia
  • Ireland
  • Italy
  • Kuwait
  • Malaysia
  • Myanmar
  • Netherlands
  • Norway
  • Poland
  • Portugal
  • Qatar
  • Republic of Argentina
  • Serbia
  • Singapore
  • Slovenia
  • Spain
  • Sweden
  • Switzerland
  • Thailand
  • Turkey
  • Ukraine
  • United Arab Emirates
  • United Kingdom
  • United States

The trojan has a command & control (C2) channel through which commands and data are sent. It is designed in a job-scheduler fashion, i.e. it periodically requests new commands from the C&C server. Given below are some key functionalities that are in-built in Joker:

  • SMS extraction/ OTP extraction
  • Multi-staged operation
  • Unauthorized user interaction 
  • Money stealing
  • JavaScript command injection
  • Phone book contact extraction

Joker can hide within the advertisement frameworks, without exposing too much of its malicious code out in the open, which helps the malware evade detection. The different stages of payload delivery is as given below:

  • Initial loading is done via a Joker Initialization Component, which is inserted in the advertisement frameworks of legitimate applications.
  • After initialization, the malware will download AES encrypted configuration from the C2 server. And at the beginning of the second stage, a specially crafted string is sent to the C2 server for payload extraction. 
  • Eventually Joker will download the malware kit, a dex file, on the completion of the second stage.
  • Dynamic loading of dex files are implemented to minimize Joker’s fingerprints on the device.

Impact

Technical Impact
  • Malware makes subscriptions to premium services on behalf of the users.
  • Grabs text messages for OTP stealing.
  • Malware has the ability to interact with permission prompts without  user’s consent making unauthorized approvals on client’s behalf to install additional tools.
  • It is capable of extracting contacts from the phone, compromising the privacy of users.
  • Command injection lets malware access filesystems and exfiltrate user data.
  • Steals user form data to obtain credit card information.
Business Impact
  • Compromise of critical employee data via mobile attacks gives attackers access to enterprise networks.
  • Nation states target mobile platforms to carry out espionage attacks against large businesses and critical infrastructures.

Mitigations

  • Remove all the applications mentioned in the section ‘Indicators of Compromise’ below.
  • Check credit card bills/ account statements.
  • Install an EDR solution for your mobile phone.

Indicators of Compromise

First stage (payload distribution) C&C: 
http://3.122.143[.]26/
Main C&Cs:

http://joker2.dolphinsclean[.]com/

http://beatleslover[.]com/

http://47.254.144[.]154/

Second stage binaries (Core):

https://s3.amazonaws.com/media.site-group-df[.]com/s8-release

https://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/s8–5-release

https://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/s8-5-dsp-release

https://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/s8-all

https://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/s9-3-sendsms

https://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/s9–6-release

https://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/s9–6–2-release

https://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/s9-6-3

https://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/Y12-all-no-log

https://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/Y12-no-log

https://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/Y13-all

https://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/Y13-all-v2-no-log

Unpacked second stage of the build “Y13-all-v2-no-log” SHA256: 

a7dc4238682147012751bb853001b053527ca8031a624bbd5db1a77a3e563ead

Loader YARA rule:

 

rule android_joker {     

    strings:

        $c = { 52656D6F746520436C6F616B } // Remote Cloak

        $cerr = { 6E6574776F726B2069737375653A20747279206C61746572 } // network issue: try later

        $net = { 2F6170692F636B776B736C3F6963633D } // /api/ckwksl?icc=

        $ip = { 332E3132322E3134332E3236 } // 3.122.143.26     

    condition:

        ($c and $cerr) or $net or $ip 

}

Infected Android Apps

 

SHA256: b36fbe6b75f00ae835156185ca5d6955cdfbe410d73c3e5653dabbaff260f166

Package Name: com.with.nofear.myheart

Installs: 100,000+

Loader Path: com.startapp.android.publish

MCC Config: 262_202_460_268_520_502_424_510_414_232_204_222_272_427_228_214

 

SHA256: 718210a0c41160240843711d79f2757548e72934e996b0e16a2b2277369d366b

Package Name: com.certain.icdesktop.wallpaper

Installs: 100,000+

Loader Path: com.tohsoft.wallpaper.ui.details.basics

MCC Config: unknown_262_202_460_268_520_502_424_510_414_232_204_222_272_427_228_214

 

SHA256: 81d784ee65a8dc113683cd7cc271a36da275a500621cefa187095951af3a5114

Package Name: com.building.castle.bster

Installs: 50,000+

Loader Path: com.startapp.android.publish

MCC Config: 620_708_208_427_310_262_202_460_268_520_502_424_510_414_232_204_222_228_272_240_724_404_722_505_206_280_214_208_234_419_260_220_525_293_286

 

SHA256: 2d9a7d75227c3332591e1af5a2f2223eec3328c75c95dea9a33ea269200faf38

Package Name: com.futureage.facelook

Installs: 50,000+

Loader Path: com.startapp.android.publish

MCC Config: 262_202_460_268_520_502_424_510_414_232_204_222_272_427_228_214

 

SHA256: 1e724a5af76927106ee92421412af62698707d1d44a9891f91b3c6902f1780cd

Package Name: com.comeback.myside.sms

Installs: 50,000+

Loader Path: com.blur.blurphoto.view

MCC Config: 242_620_708_208_427_310_262_202_460_268_520_502_424_510_414_232_204_222_228_272_240_724_404_722_505_206_280_214_208_234_419_260_220_525_293_286

 

SHA256: 69d94f94233a2e42d49eeafaea7bf2aad86671cdaf3be45b00ff3de624d7e883

Package Name: com.sybo.ggp.cam

Installs: 10,000+

Loader Path: com.startapp.android.publish

MCC Config: 262_202_460_268_520_502_424_510_414_232_204_222_272_427_228_214

 

SHA256: e44f514c7729a6c39700db6ac51c817c77741e19178f8942c2d26f6b62ef9df5

Package Name: com.declare.smsarr.message

Installs: 10,000+

Loader Path: com.messages.messenger.chat.list

 

SHA256: 226e9c5ca45facb9b9a36529e09958546c4b351f4b7ae02101f8e3c1d6e3de7b

Package Name: com.change.nicephoto

Installs: 10,000+

Loader Path: com.blur.blurphoto.view.

MCC Config: 242_620_708_208_427_310_262_202_460_268_520_502_424_510_414_232_204_222_228_272_240_724_404_722_505_206_280_214_208_234_419_260_220_525_293_286

 

SHA256: 6261be516a54d8566348b8305e96f34bdbf4f11620350c5f36f4bc3cb67fc181

Package Name: com.rapidface.smart.scanner

Installs: 10,000+ 

Loader Path: com.fungo.constellation.common.ball

MCC Config: unknown_262_202_460_268_520_502_424_510_414_232_204_222_272_427_228_214

 

SHA256: 43b36c438a3531e42623fbd00f5b57066a4db8048ce8e0ab0b5ecf9eac67aabf

Package Name: com.burning.rockn.scan

Installs: 10,000+

Loader Path: com.startapp.android.publish

MCC Config: 620_708_208_427_310_262_202_460_268_520_502_424_510_414_232_204_222_228_272_240_724_404_722_505_206_280_214_208_234_419_260_220_525_293_286

 

SHA256: da2171a32f3b95620c35a48a34fb7293a321ab41266d3461f808b2f07694e5a7

Package Name: com.board.picture.editing

Installs: 10,000+

Loader Path: com.color.black.filter

MCC Config: unknown_460_262_520_202_222_427_232

SHA256: 494c8c6155a08ae95a2f1962636911310c98d36f065e81eddf4ffcb172913495

Package Name: com.cute.hd4kcam.camera

Installs: 10,000+

Loader Path: com.facebook.appevents.camera.pics

MCC Config: unknown_262_202_460_268_520_502_424_510_414_232_204_222_272_427_228_214

 

SHA256: a8bf4055a4988ee181be9915c93c6278503be562475a558aef3c6dba54e06b13

Package Name: com.wallpapers.dazzle.gp

Installs: 10,000+

Loader Path: com.startapp.android.publish

MCC Config: 262_202_460_268_520_502_424_510_414_232_204_222_272_427_228_214

 

SHA256: befde4166a9cdf2ff7c8f81fb5dec6a6760d20e0debbc667a8274899a248ef31

Package Name: com.cantwait.ezlife.wallpaper

Installs: 10,000+

Loader Path: com.startapp.android.publish

MCC Config: 620_708_208_427_310_262_202_460_268_520_502_424_510_414_232_204_222_228_272_240_724_404_722_505_206_280_214_208_234_419_260_220_525_293_286

 

SHA256: b631b2254850e62804fc66895850dcbf007d670aa843af8d2e525c85947da2d4

Package Name: com.Climate.sms

Installs: 10,000+

Loader Path: com.color.black.filter

MCC Config: unknown_620_708_208_427_310_262_202_460_268_520_502_424_510_414_232_204_222_228_272_240_724_404_722_505_206_280_214_208_234_419_260_220_525_293_286

 

SHA256: 2e3bff9dda4c568a5e12c2f468227ec8dc5baf9913fe573f02ef2d5432b37bc0

Package Name: com.xw.supervpnfree

Installs: 5,000+

Loader Path: org.greenrobot.eventbus.util

MCC Config: 242_620_708_208_427_310_262_202_460_268_520_502_424_510_414_232_204_222_228_272_240_724_404_722_505_206_280_214_208_234_419_260_220_525_293_286

 

SHA256: 9b4a1b7c638be029f0ffcb92dcfac74052f41fc36d43a45f6aa80d20d1285646

Package Name: com.vegtable.blif.camera

Installs: 5,000+

Loader Path: com.startapp.android.publish

 

SHA256: 5405e39dbde78e3b561a6e54f208ce557f04bdbdc363ea6442892d26ba91811e

Package Name: com.print.plant.scan

Installs: 5,000+

Loader Path: com.plantfinder.identification.ui.inner

MCC Config: unknown_262_202_460_268_520_502_424_510_414_232_204_222_272_427_228_214

 

SHA256: 65135899349daca2646ca36c5a442382bc988f5b3749a2bd5322170d777af77a

Package Name com.saying.wallpaper.bb

Installs: 5,000+

Loader Path: com.startapp.android.publish

MCC Config: 262_202_460_268_520_502_424_510_414_232_204_222_272_427_228_214

 

SHA256: 54aba1530d829c71b2410c06628de034e38bc52be3002f82cc771c219d91958d

Package Name: com.hampi.sender

Installs: 1,000+

Loader Path: com.color.black.filter

MCC Config: unknown_620_708_208_427_310_262_202_460_268_520_502_424_510_414_232_204_222_228_272_240_724_404_722_505_206_280_214_208_234_419_260_220_525_293_286

 

SHA256: 27450c3c735dc3dcba9254a3b08ed22bbcde8631343cb70107d4e41e17fbb548

Package Name: com.Ignite.amino.clean (still up!)

Installs: 1,000+

Loader Path: com.alc.coolermaster.activity.create

MCC Config: 242_620_708_208_427_310_262_202_460_268_520_502_424_510_414_232_204_222_228_272_240_724_404_722_505_206_280_214_208_234_419_260_220_525_293_286_602_255

 

SHA256: 162ee177dea9b94366063de63dffd97f92f7a50e0e429d54fea73dc3a52f1b3a

Package Name: com.anti.mysecurity

Loader Path: org.greenrobot.eventbus.util

MCC Config: 242_620_708_208_427_310_262_202_460_268_520_502_424_510_414_232_204_222_228_272_240_724_404_722_505_206_280_214_208_234_419_260_220_525_293_286

 

SHA256: f165e04ee6ec84a2e57108c0f7e157a5dc1158fb38a161e5cfcde89476838c09

Package Name: com.hello.sweetangle.horoscope

Loader Path: com.mopub.common.boost

 

SHA256: 0eba66cda54c732645ca69949882097c2f2e69dff917e8834b6636ef00848772

Package Name: com.tr.rushphoto

Loader Path: com.mopub.common.boost

Be informed in your Inbox

Sign up now to our Threat intelligence Newsletter and be the first to know about threats first in your inbox.

Join the Discussions

Discuss your way into our Community about these threats and stay Vigilant and informed.