{"id":89557,"date":"2021-01-22T20:08:06","date_gmt":"2021-01-22T14:38:06","guid":{"rendered":"https:\/\/blogs.quickheal.com\/?p=89557"},"modified":"2023-06-20T16:49:11","modified_gmt":"2023-06-20T11:19:11","slug":"stay-alert-joker-still-making-its-way-on-google-play-store","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/stay-alert-joker-still-making-its-way-on-google-play-store\/","title":{"rendered":"Stay Alert, Joker still making its way on Google Play Store!"},"content":{"rendered":"

We recently came across 2 malicious Joker family malware applications on Google Play Store\u00a0 \u2014 the company was quick to remove these malicious applications<\/a> from their store based on our report. These two applications, namely \u201cEasy QR Scanner<\/strong>\u201d and \u201cFree Translator<\/strong>\u201d have more than 10k installs each.<\/p>\n

\"Fig.1
Fig.1 Application icons<\/figcaption><\/figure>\n

What is Joker Malware? <\/strong><\/h2>\n

Joker is spyware which steals the victim\u2019s SMS messages, contact list and the device info. It silently interacts with advertisement websites and subscribes the victim to premium services without their knowledge. The name \u201cJoker\u201d is taken from one of the C&C domains of earlier found samples.<\/p>\n

From its inception, Joker family malware continued to find their way on Google Play Store by using different tricks. In January last year, Google informed about the removal of more than 1700 Joker malware applications although many researchers continued finding apps rigged with the spyware. This is because malware authors continue to do small changes in their code or payload retrieval techniques to evade the detections.<\/p>\n

Here is our analysis of Easy QR Scanner <\/strong>Application –<\/p>\n

At launch, this application asks for storage, camera and contact access permission, followed by request to access notifications. Next, it opens the camera for scanning \u2014if we scan QR code from this application, it opens embedded URL \u2014 e.g. In Fig. 2 see scanned QR code and its result.<\/p>\n

\"Fig.
Fig. 2 Application Functionality<\/figcaption><\/figure>\n

The application seems useful for now but, it does the malicious activity in the background without the user\u2019s knowledge.<\/p>\n

\"Fig.3
Fig.3 Packages of application and payloads<\/figcaption><\/figure>\n

Fig. 3 shows packages from Easy QR Scanner application and it\u2019s downloaded payloads. In this application, three different payloads are downloaded one after another. Original applications have used Tencent packer to hide its malicious payload downloading functionality. At runtime, it unpacks this application and downloads first stage payload.<\/p>\n

First stage payload, xiwa.doc,<\/strong> is downloaded from C&C jordi.oss-us-east-1.aliyuncs.com<\/strong><\/p>\n

\"Fig.4
Fig.4 Three payloads downloaded in three consecutive requests.<\/figcaption><\/figure>\n

Here is the first entry from Network log for application \u201cEasy QR Scanner\u201d<\/strong><\/p>\n

{<\/p>\n

“Entry”: 1,<\/p>\n

“Application”: “Easy QR Scanner”,<\/p>\n

“Application package name “: “com.easyqr.scannertool”,<\/p>\n

“Request url”: “http:\/\/jordi.oss-us-east-1.aliyuncs.com\/closer\/xiwa.doc”,<\/p>\n

“Request method”: “GET”,<\/p>\n

“Version”: “HTTP\/1.1”,<\/p>\n

“Status code”: “200 OK”,<\/p>\n

“Remote address”: “47.253.30.162”,<\/p>\n

“Domain”: “jordi.oss-us-east-1.aliyuncs.com”,<\/p>\n

“Content type”: “application\/msword”,<\/p>\n

“Port”: “443”,<\/p>\n

“SSL”: null<\/p>\n

}<\/p>\n

This file – xiwa.doc contains code to download next stage payload kudo.doc.<\/p>\n

\"Fig.
Fig. 5 Code snippet of first stage payload<\/figcaption><\/figure>\n

This second stage payload contains the code to check Sim Operator code and code to ask notification access. Sim operator code can be accessed using getSimOperator <\/em>method, which returns [mobile country code + mobile network code]. It also has code to download 3rd<\/sup> and final stage payload – closer.doc.<\/strong><\/p>\n

\"Fig.
Fig. 6 Code snippet of 2nd stage payload<\/figcaption><\/figure>\n

Final stage payload – closer.doc<\/h2>\n

This is the final malicious payload responsible for Joker\u2019s behaviour. Below is a code snippet showing BroadcastReceiver\u2019s onReceive method \u2014 it collects received message data.<\/p>\n

\"Fig
Fig 7. Code snippet of received SMS collection<\/figcaption><\/figure>\n

String obfuscation is used to avoid pattern-based signature detections.<\/p>\n

\"Fig.8
Fig.8 String obfuscation<\/figcaption><\/figure>\n

As shown in Fig. 9, It checks for Sim Operator code first and then visits a site to subscribe for a premium service. Then it requests for OTP and submits the received OTP without user\u2019s knowledge or consent.<\/p>\n

\"Fig.
Fig. 9 Subscribing for premium services.<\/figcaption><\/figure>\n

These types of techniques (e.g. malicious code is inside the 3rd<\/sup> stage payload) used by malware authors to bypass the security checks of Google.<\/p>\n

Another application we found (Free Translator) has similar behaviour. These applications look benign but do malicious activities in the background, so the user should avoid downloading these types of applications and try to use applications from trusted developers only.<\/p>\n

 <\/p>\n

Tips to stay safe<\/strong><\/h2>\n

1.Download applications only from trusted sources like Google Play Store.<\/p>\n

2.Learn how to identify fake applications in Google Play Store.<\/p>\n

3.Do not click on alien links received through messages or any other social media platforms.<\/p>\n

4.Turn off installation from unknown source option.<\/p>\n

5.Read the pop-up messages you get from the Android system before accepting\/allowing any new permissions.<\/p>\n

6.Malicious developers spoof original application names and developer names. So, make sure you are downloading genuine applications only. Often application descriptions contain typos and grammatical mistakes. Check the developer\u2019s website if a link is available on the application\u2019s webpage. Avoid using it if anything looks strange or odd.<\/p>\n

7.Reviews and ratings can be fake but still reading user reviews of the application and the experience of existing users can be helpful. Pay attention to reviews with low ratings.<\/p>\n

8.Check download count of the application \u2014 popular applications have very high download counts. But do note that some fake applications have been downloaded thousands or even millions of times before they were discovered.<\/p>\n

9.Avoid downloading applications from third-party application stores or links provided in SMSs, emails, or WhatsApp messages. Also, avoid installing applications that are downloaded after clicking on an advertisement.<\/p>\n

10.Use a trusted anti-virus like Quick Heal Mobile Security<\/a> to stay safe from Android malware.<\/p>\n

IOC:<\/strong><\/p>\n

MD5: 3bbf45eab9796a2781e640393fae7423<\/p>\n

MD5: f733cfe88fc4089523a634675f808100<\/p>\n

URLs of payload:<\/strong><\/p>\n

hxxp:\/\/jordi[.]oss-us-east-1[.]aliyuncs.com\/closer\/xiwa.doc<\/p>\n

hxxp:\/\/jordi[.]oss-us-east-1[.]aliyuncs.com\/closer\/kubo.doc<\/p>\n

hxxp:\/\/jordi[.]oss-us-east-1[.]aliyuncs.com\/closer\/closer.doc<\/p>\n

hxxp:\/\/feeli[.]oss-us-east-1[.]aliyuncs.com\/feel\/kouj.asx<\/p>\n

hxxp:\/\/feeli[.]oss-us-east-1[.]aliyuncs.com\/feel\/gechagn.asx<\/p>\n

hxxp:\/\/feeli[.]oss-us-east-1[.]aliyuncs.com\/feel\/feel.asx<\/p>\n

Final C&C<\/strong><\/p>\n

47[.]241[.]106[.]26<\/p>\n","protected":false},"excerpt":{"rendered":"

We recently came across 2 malicious Joker family malware applications on Google Play Store\u00a0 \u2014 the company was quick to remove these malicious applications from their store based on our report. These two applications, namely \u201cEasy QR Scanner\u201d and \u201cFree Translator\u201d have more than 10k installs each. What is Joker Malware? Joker is spyware which […]<\/p>\n","protected":false},"author":61,"featured_media":89572,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[968],"tags":[431,1771,49],"class_list":["post-89557","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-spyware","tag-android","tag-joker","tag-malware"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/89557"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/61"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=89557"}],"version-history":[{"count":8,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/89557\/revisions"}],"predecessor-version":[{"id":91534,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/89557\/revisions\/91534"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/89572"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=89557"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=89557"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=89557"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}