![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2021\/06\/Fig1-300x228.png\")
<\/p>\nFor the last three years, Joker Trojan is making its way on Google Play Store. Quick Heal Security Labs recently spotted 8 Joker malware on Google Play Store and reported them to Google, which has now removed all the applications.<\/p>\n
<\/p>\n
Fig. 1 Screenshots of Applications from Google Play Store<\/em><\/p>\n Joker is a spyware<\/a> Trojan that steals the victim\u2019s device like SMS messages, contact list, and device info. Then, it silently interacts with advertisement websites and subscribes the victim to premium services without their knowledge. In January, we have reported similar samples to Google and published a blog<\/a> on the same.<\/p>\n <\/p>\n At launch, this application asks for notification access, which is used to get notification data. This application takes SMS data from notifications, asks for Contacts access, and makes and manages phone call permission. After that, it is working like a document scanner application without showing any visible malicious activity to the user.<\/p>\n Fig. 2 Permissions asked by Application<\/em><\/p>\n But in the background, it downloads two payloads, one after the other. The first payload is downloaded from a Bitly short URL link, which is present in the original application from Google Play Store. See fig. 3 This application has link “h**p:\/\/bit[.]ly\/3hT17RL”. Then this payload further downloads the next payload from the link – \u201ch**p:\/\/skullali[.]oss-me-east 1[.]aliyuncs.com\/realease.mp3\u201d. This payload is nothing but malicious joker malware.<\/p>\n Fig. 3 Payload downloading flow<\/em><\/p>\n This final payload releases the .mp3 file, which contains code for notification access (Ref. Fig. 4), and the onReceive<\/em> method (Ref. Fig. 5), which collects received SMS data.<\/p>\n Fig. 4 Code for notification access<\/span><\/span>\u00a0<\/span><\/em><\/p>\n Fig. 5 Implementation of onReceive method<\/em><\/p>\n It also checks for the SIM provider\u2019s country code. If this code starts with \u201c520,\u201d i.e., if Sim providers country is Thailand, it subscribes the user to premium services as shown in Fig.5.<\/p>\n Fig.<\/span>6<\/span>\u00a0Code for subscription<\/span><\/em><\/p>\n Malware authors spread these malware applications on the Google Play Store in scanner applications, wallpaper applications, message applications. These types of applications can quickly become a target. Users should try to avoid such applications and use such kinds of applications only from trusted developers.<\/p>\n <\/p>\n <\/p>\n <\/p>\n For the last three years, Joker Trojan is making its way on Google Play Store. Quick Heal Security Labs recently spotted 8 Joker malware on Google Play Store and reported them to Google, which has now removed all the applications. Fig. 1 Screenshots of Applications from Google Play Store Joker is a spyware Trojan that […]<\/p>\n","protected":false},"author":61,"featured_media":90059,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1739,24,354],"tags":[431,1821,1822,218,1823,1820,1771,49,19],"class_list":["post-89963","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","category-malware","category-mobile-security-2","tag-android","tag-androidmalware","tag-androidsecurity","tag-google","tag-googleapps","tag-googleplaystore","tag-joker","tag-malware","tag-news"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/89963"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/61"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=89963"}],"version-history":[{"count":18,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/89963\/revisions"}],"predecessor-version":[{"id":91466,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/89963\/revisions\/91466"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/90059"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=89963"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=89963"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=89963"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Let’s see the working of one of the applications-<\/strong><\/h4>\n
\n
![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2021\/06\/Fig2-300x105.png\")
<\/p>\n![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2021\/06\/Fig3-300x194.png\")
<\/p>\n![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2021\/06\/Fig4-300x107.png\")
<\/p>\n![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2021\/06\/Fig5-300x122.png\")
<\/p>\n![\"\"](\"https:\/\/blogs.quickheal.com\/wp-content\/uploads\/2021\/06\/Fig6-300x140.png\")
<\/p>\nIOC:<\/strong><\/h4>\n
\n\n
\n MD5\u00a0<\/strong><\/td>\n Detection\u00a0Name\u00a0<\/strong><\/td>\n<\/tr>\n \n 05710c8525f31535eb7338653429b1fa<\/span>\u00a0<\/span><\/td>\n Android.Joker.Aad66<\/span>\u00a0<\/span><\/td>\n<\/tr>\n \n 9add1126cd52900c06ce4fe58ffc5f25<\/span>\u00a0<\/span><\/td>\n Android.Jocker.Abd79<\/span>\u00a0<\/span><\/td>\n<\/tr>\n \n 4705ce82dd8a969139f07b9576715dca<\/span>\u00a0<\/span><\/td>\n Android.Agent.Aed3f<\/span>\u00a0<\/span><\/td>\n<\/tr>\n \n 17c9de7d2a62fb0ed640fd2a348d6ffd<\/span>\u00a0<\/span><\/td>\n Android.Joker.Af409<\/span>\u00a0<\/span><\/td>\n<\/tr>\n \n e4caf7c6a04139326d34bdb9b7282b00<\/span>\u00a0<\/span><\/td>\n Android.Agent.Aec9e<\/span>\u00a0<\/span><\/td>\n<\/tr>\n \n 6b11d98e9713b3f3a53e201394c1247b<\/span>\u00a0<\/span><\/td>\n Android.Joker.Af408<\/span>\u00a0<\/span><\/td>\n<\/tr>\n \n 995caba3370a6df5e73790d3461811e9<\/span>\u00a0<\/span><\/td>\n Android.Joker.Af406<\/span>\u00a0<\/span><\/td>\n<\/tr>\n \n dfe73757188ebe9d10aded37b349400b<\/span>\u00a0<\/span><\/td>\n Android.Joker.Af407<\/span>\u00a0<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n C2 server:<\/strong><\/h4>\n
\n
Tips to stay safe<\/strong><\/h4>\n
\n