Joker is one of the most prominent malware families that continually targets Android devices. Despite awareness of this particular malware, it keeps finding its way into Google’s official application market by employing changes in its code, execution methods, or payload-retrieving techniques. This spyware is designed to steal SMS messages, contact lists, and device information along with silently signing up the victim for premium wireless application protocol (WAP) services.
Our Zscaler ThreatLabZ research team has been constantly monitoring the Joker malware. Recently, we have seen regular uploads of it onto the Google Play store. Once notified by us, the Google Android Security team took prompt action to remove the suspicious apps (listed below) from the Google Play store.
This prompted us to evaluate how Joker is so successful at getting around the Google Play vetting process. We identified 17 different samples regularly uploaded to Google Play in September 2020. There were a total of around 120,000 downloads for the identified malicious apps.
The following are the names of the infected apps we discovered on the Google Play store:
All Good PDF Scanner
Mint Leaf Message-Your Private Message
Unique Keyboard - Fancy Fonts & Free Emoticons
Tangram App Lock
Direct Messenger
Private SMS
One Sentence Translator - Multifunctional Translator
Style Photo Collage
Meticulous Scanner
Desire Translate
Talent Photo Editor - Blur focus
Care Message
Part Message
Paper Doc Scanner
Blue Scanner
Hummingbird PDF Converter - Photo to PDF
All Good PDF Scanner
(As of this writing, all of these apps have been removed from the Google Play store.)
In this blog, we will discuss the tactics used by the Joker malware author to bypass the Google Play vetting process.
Scenario 1: Direct download
In some of the Joker variants, we saw the final payload delivered via a direct URL received from the command and control (C&C) server. In this variant, the infected Google Play store app has the C&C address hidden in the code itself with string obfuscation. We observed the string “sticker” was used to break the C&C address to hide it from the simple grep or string search, as shown in Figure 1.
Figure 1: The C&C address string obfuscation.
Once installed, the infected app contacts the C&C server, which then responds with the URL of a final payload. This JSON file also has the information related to the class name that needs to be executed from the final payload to do all the malicious activities.
Figure 2: The C&C JSON response.
Upon receiving the JSON configuration from the C&C, the infected app downloads the payload from the received location and executes it.
Figure 3: The final payload download.
Scenario 2: One-stage download
In some apps, we observed that for retrieving the final payload, the infected Google Play app uses a stager payload. Here the infected Google Play store app has the stager payload URL encoded in the code itself encrypted using Advanced Encryption Standard (AES). Upon infection, unlike scenario 1, it downloads the stager payload rather than a final payload, as seen in Figure 4 and Figure 5.
We also saw two varieties of the stager payload—an Android Package (APK) or a Dalvik executable file.
Figure 4: The Dalvik executable stager payload download.
Figure 5: The APK stager payload download.
The job of this stager payload is to simply retrieve the final payload URL from the code and download it. Along with the payload download, it is responsible for executing the final payload as well.
In the stager payload, we also saw some different tactics used by the malware author to hide the final payload URL. We saw instances where the final payload is obfuscated with AES and, in some cases, we saw simple shift operation was used to obfuscate the final payload URL.
In some cases, the final payload URL was also in plain text.
Figure 6: AES encryption for the end payload URL.
Figure 7: The plain text end payload URL.
Figure 8: The plain text end payload URL.
Figure 9: The obfuscated end payload URL with Shift encoding
Upon execution, it downloads the final stage payload, which is the core Joker malware doing all the infection activities ranging from premium SMS subscription scam to spyware activities, as seen in Figure 10.
Figure 10: The end payload download.
Scenario 3 : Two-stage download
In some groups of infected Google Play store apps, we saw two-stager payload downloads used to retrieve the final payload. Here, the Google Play infected app downloads the stage one payload, which downloads the stage two payload, which finally loads the end Joker payload.
Interestingly, unlike previous two scenarios, the infected app contacts the C&C server for the stage one payload URL, which hides it in response location header.
Figure 11: The C&C response for the stage one payload URL.
Upon infecting the device, the infected app downloads the stage one payload from the received URL from the C&C in the response header. Like scenario two, the job of this payload is to simply download another payload but this time it won't be the final payload. Observe the below screenshot for the same activity.
Figure 12: The stage two URL in stage one code.
Upon execution of the stage one payload, it downloads the stage two payload. The stage two payload exhibits the same behavior as the stage one payload. It includes the hard-coded URL, which retrieves the final payload as shown in Figure 13.
Figure 13: The final payload URL in the stage two code.
Final payload details
Although these variations were used by Joker to reach the end payload, we saw the same end payload downloaded in all the cases. Here are some highlights of the final payload activities.
The final payload employs DES encryption to execute the C&C activities.
Figure 14: The DES encryption for the C&C post request.
Figure 15 shows the network patterns used by Joker to execute the C&C activities.
Figure 15: The C&C pattern for the post request.
The end payload also employs string obfuscation to hide all the important strings. It uses string “nus106ba” to break all the important strings to hide it from simple string search.
Figure 16: The string obfuscation.
Figure 17 shows the SMS harvesting and WAP fraud done by Joker.
Figure 17: The WAP fraud.
This post provides in-depth details related to end payload activities done by Joker.
Recommandation
We recommend paying close attention to the permission list in the apps that you install on your Android device. Always watch out for the risky permissions related to SMS, call logs, contacts, and more. Reading the comment or reviews on the app page aslo helps identify compromised apps.
IOCs
Infected Apps on GooglePlay:
MD5s
Package Name
2086f0d40e611c25357e8906ebb10cd1
com.carefrendly.message.chat
b8dea8e30c9f8dc5d81a5c205ef6547b
com.docscannercamscanpaper
5a5756e394d751fae29fada67d498db3
com.focusphoto.talent.editor
8dca20f649f4326fb4449e99f7823a85
com.language.translate.desire.voicetranlate
6c34f9d6264e4c3ec2ef846d0badc9bd
com.nightsapp.translate.sentence
04b22ab4921d01199c9a578d723dc6d6
com.password.quickly.applock
b488c44a30878b10f78d674fc98714b0
com.styles.simple.photocollage.photos
a6c412c2e266039f2d4a8096b7013f77
com.unique.input.style.my.keyboard
4c5461634ee23a4ca4884fc9f9ddb348
dirsms.welcome.android.dir.messenger
e4065f0f5e3a1be6a56140ed6ef73df7
pdf.converter.image.scanner.files
bfd2708725bd22ca748140961b5bfa2a
message.standardsms.partmessenger
164322de2c46d4244341e250a3d44165
mintleaf.message.messenger.tosms.ml
88ed9afb4e532601729aab511c474e9a
omg.documents.blue.pdfscanner
27e01dd651cf6d3362e28b7628fe65a4
pdf.maker.scan.image.phone.scanner
e7b8f388051a0172846d3b3f7a3abd64
prisms.texting.messenger.coolsms
0ab0eca13d1c17e045a649be27927864
com.gooders.pdfscanner.gp
bfbe04fd0dd4fa593bc3df65a831c1be
com.powerful.phone.android.cleaner
URLs of payload distribution
blackdragon[.]oss-ap-southeast-5[.]aliyuncs[.]com/privateSMS_ba[.]htm
blackdragon03[.]oss-ap-southeast-5[.]aliyuncs[.]com/partMessage_base[.]css
blackdragon03[.]oss-ap-southeast-5[.]aliyuncs[.]com/partMessage_config[.]json
nineth03[.]oss-ap-southeast-5[.]aliyuncs[.]com/MeticulousScanner_bs[.]mp3
sahar[.]oss-us-east-1[.]aliyuncs[.]com/care[.]asf
sahar[.]oss-us-east-1[.]aliyuncs[.]com/onesentence[.]asf
sahar[.]oss-us-east-1[.]aliyuncs[.]com/onesentence2[.]asf
sahar[.]oss-us-east-1[.]aliyuncs[.]com/saiks[.]asf
sahar[.]oss-us-east-1[.]aliyuncs[.]com/tangram[.]asf
sahar[.]oss-us-east-1[.]aliyuncs[.]com/tangram2[.]asf
sahar[.]oss-us-east-1[.]aliyuncs[.]com/twinkle[.]asf
2j1i9uqw[.]oss-eu-central-1[.]aliyuncs[.]com/328718737/armeabi-v7a/ihuq[.]sky
blackdragon[.]oss-ap-southeast-5[.]aliyuncs[.]com/blackdragon[.]html
blackdragon[.]oss-ap-southeast-5[.]aliyuncs[.]com/privateSMS[.]json
fgcxweasqw[.]oss-eu-central-1[.]aliyuncs[.]com/fdcxqewsswq/dir[.]png
jk8681oy[.]oss-eu-central-1[.]aliyuncs[.]com/fsaxaweqwa/amly[.]art
n47n[.]oss-ap-southeast-5[.]aliyuncs[.]com/H20PDF29[.]txt
n47n[.]oss-ap-southeast-5[.]aliyuncs[.]com/font106[.]ttf
nineth03[.]oss-ap-southeast-5[.]aliyuncs[.]com/blackdragon[.]html
proxy48[.]oss-eu-central-1[.]aliyuncs[.]com/m94[.]dir
proxy48[.]oss-eu-central-1[.]aliyuncs[.]com/response[.]js
laodaoo[.]oss-ap-southeast-5.aliyuncs[.]com/allgood2[.]webp
laodaoo[.]oss-ap-southeast-5[.]aliyuncs[.]com/flower[.]webp
rinimae[.]oss-ap-southeast-5[.]aliyuncs.com/powerful[.]mov
rinimae[.]oss-ap-southeast-5[.]aliyuncs.com/powerful2[.]mov
rinimae[.]oss-ap-southeast-5[.]aliyuncs.com//intro[.]mov
Final C&C:
161[.]117[.]229[.]58
161[.]117[.]83[.]26
47[.]74[.]179[.]177
References:
https://twitter.com/ReBensk
https://www.anquanke.com/post/id/211978
↧