No Joking Around with JOKER

Posted byBaran S
AndroidStealer Trojan

No Joking Around with JOKER

By Baran SMay 5, 2021

The Joker malware family has been consistently targeting Android users since it was discovered in 2017 and is one of the most active malware families on the Google Play Store. It continues to find new tricks and tactics to stay undetected by doing small changes in its code or changing the payload download techniques. 

The family name “Joker” was derived from the Command and Control (C2) domain name it used in its early days.  This malware attempts to steal SMS messages, contacts from the victim’s device and silently signs up its victims to the premium services without their knowledge.

At K7 Labs, we recently noticed a new Joker malware sample on Google Play Store, which utilizes Android packers like “Tencent’s Legu” and “ijiami” packers to evade detection.

Figure 1: Malicious Joker Apps from Google Play Store Protected with Packer

In this blog, we will be analyzing the sample kindledev.nap.ksms which uses Tencent’s Legu Packer to hide its malicious payload functionality as shown in Figure 2.

Figure 2: APK Protected with Tencent’s Legu Packer

Technical Analysis

Once launched, at runtime it unpacks the malicious Android Package (APK) and contacts the C2 server to download a malicious Dalvik Executable (DEX) file payload as shown in Figure 3, which enables the malware and adds other capabilities.

Figure 3: Malicious Payload from C2 Server

This malicious payload continuously sends POST requests to hxxp[:]//161[.]117[.]46[.]64/svhyqj/mjcxzy for communication as shown in Figure 4.

Figure 4:  Encrypted Data sent to C2 in POST

This Joker Trojan attempts to intercept SMS messages notifications as shown in Figure 5.

Figure 5:  Intercept SMS Messages

This Trojan also silently signs up the victim for the WAP (Wireless Application Protocol) fraud as shown in Figure 6.

Figure 6: WAP Fraud by Joker Trojan

Mitigations

  • Use the official App Store to download the apps
  • Carefully read the user reviews before installing the apps
  • Ensure you protect your device and data by using a reputable security product like K7 Mobile Security and keeping it up-to-date, to scan all the downloaded apps, irrespective of the source

Indicators Of Compromise (IOCs)

Infected Package Name on Google Play StoreHashPackerDetection Name
com.upinklook.kunicam4a0d873780a7132d1e2b407d9c5db801ijiamiTrojan ( 0057931a1 )
com.keykeybor.borprem.forpiknovonlinesdab94a0370d933a12f1bba217e9b29adijiamiTrojan ( 0001140e1 )
kindledev.nap.ksms8e6ef3afeac8aaf94191fa95121244a9Tencent’s LeguTrojan ( 0001140e1 )
com.beautifulnature.freshwallpapers18a9aa9d52d78c2b87ac0b2332e46b03Tencent’s LeguTrojan ( 0001140e1 )
com.camerasideas.collagemakerf36aa54257bb4ca184db537293415a4aijiamiTrojan ( 0057931a1 )
cc.lask.asb3a7042186cb7957726b468bc1024d6bTencent’s LeguTrojan ( 0001140e1 )
inksms.beatmessages.messagingac2f1708ba265b2152aed0c43b7be2eaTencent’s LeguTrojan ( 0001140e1 )
com.translate2021.forall.languagebf84acfcd727c8aead7f81d73fc41082Tencent’s LeguTrojan ( 0001140e1 )
com.multicamera.coolwending.translatorfccf657d5e61d53ceff6943e7263f8d3Tencent’s LeguTrojan ( 0001140e1 )
com.alltxt.translate.photo.convert8668549e97b60bfccfb4082f2bb9fc62Tencent’s LeguTrojan ( 0001140e1 )
com.sophisticated.gifmakermaxc5eb32e4ff466702fd95429b8a367686Tencent’s LeguTrojan ( 0001140e1 )
everysearch.artifactf9b089e22514f1824a0e0c0bee4248ceTencent’s LeguTrojan ( 0001140e1 )
com.kong.toouch.ass.iphoea0f9f4d088a69659a4791ef5d883c0487ijiamiTrojan ( 0057931a1 )
livepictures.livebackground.lightningwallpaper652d67cfb68278306e22545c551ac64dTencent’s LeguTrojan ( 0001140e1 )
com.camscanner.docscanner.multidocscanner8cb23726b1438e734ba3708995ae36c2Tencent’s LeguTrojan ( 0001140e1 )
cplus.mirzatext.translateapp33b6a1a6d1d31a63c33666ba6a8be8d3Tencent’s LeguTrojan ( 0001140e1 )
com.freecollger.make.photocollagef53560912c64f236bbd71995204b4962Tencent’s LeguTrojan ( 0001140e1 )
com.wandaretech.flashinterpreterd595f2c5b39728269a531bd018740484Tencent’s LeguTrojan ( 00579d201 )

Payload URLs

mul4[.oss-ap-southeast-5.aliyuncs[.com

hwayt[.oss-us-east-1.aliyuncs[.com

wansgo[.oss-ap-southeast-5.aliyuncs[.com

selct[.oss-ap-southeast-2.aliyuncs[.com

scanlucky[.oss-us-east-1.aliyuncs[.com

banca[.oss-us-east-1.aliyuncs[.com

biggerone[.oss-us-east-1.aliyuncs[.com

lucky-bird[.oss-me-east-1.aliyuncs[.com

linchen-bucket[.oss-us-east-1.aliyuncs[.com

breezea[.oss-us-east-1.aliyuncs[.com

fronta[.oss-us-west-1.aliyuncs[.com

warriorss[.oss-us-west-1.aliyuncs[.com

Final C2 Servers

161[.117.226.98
161[.117.250.158
161[.117.62.127
161[.117.46.64

Like what you're reading? Subscribe to our top stories.

If you want to subscribe to our monthly newsletter, please submit the form below.

More Posts

Security News  

UK opens new £30m Cybersecurity Research Centre

administrator
administratorSeptember 25, 2009
Security  Security News  

DEATHRING: The Android You Bought Can Spy on You!

Dhanalakshmi
DhanalakshmiDecember 10, 2014
Advanced Persistent Threats  Phishing  

The DoNot APT

Vigneshwaran P
Vigneshwaran PFebruary 23, 2023

    0 replies on “No Joking Around with JOKER”