Blogs > Security Research

Joker Playing Hide-and-Seek with Google Play

Android Joker

Published on:

Authored by:

Viral Gandhi

Viral Gandhi

Category:

Mobile Malware

Joker Playing Hide-and-Seek with Google Play

Joker is one of the most prominent malware families that continually targets Android devices. Despite awareness of this particular malware, it keeps finding its way into Google’s official application market by employing changes in its code, execution methods, or payload-retrieving techniques. This spyware is designed to steal SMS messages, contact lists, and device information along with silently signing up the victim for premium wireless application protocol (WAP) services.

Our Zscaler ThreatLabZ research team has been constantly monitoring the Joker malware. Recently, we have seen regular uploads of it onto the Google Play store. Once notified by us, the Google Android Security team took prompt action to remove the suspicious apps (listed below) from the Google Play store. 

This prompted us to evaluate how Joker is so successful at getting around the Google Play vetting process. We identified 17 different samples regularly uploaded to Google Play in September 2020. There were a total of around 120,000 downloads for the identified malicious apps.


The following are the names of the infected apps we discovered on the Google Play store:

  • All Good PDF Scanner
  • Mint Leaf Message-Your Private Message
  • Unique Keyboard - Fancy Fonts & Free Emoticons
  • Tangram App Lock
  • Direct Messenger
  • Private SMS
  • One Sentence Translator - Multifunctional Translator
  • Style Photo Collage
  • Meticulous Scanner
  • Desire Translate
  • Talent Photo Editor - Blur focus
  • Care Message
  • Part Message
  • Paper Doc Scanner
  • Blue Scanner
  • Hummingbird PDF Converter - Photo to PDF
  • Powerful Cleaner

(As of this writing, all of these apps have been removed from the Google Play store.)

In this blog, we will discuss the tactics used by the Joker malware author to bypass the Google Play vetting process.

 

Scenario 1: Direct download

In some of the Joker variants, we saw the final payload delivered via a direct URL received from the command and control (C&C) server. In this variant, the infected Google Play store app has the C&C address hidden in the code itself with string obfuscation. We observed the string “sticker” was used to break the C&C address to hide it from the simple grep or string search, as shown in Figure 1.

Figure 1: The C&C address string obfuscation.

Once installed, the infected app contacts the C&C server, which then responds with the URL of a final payload. This JSON file also has the information related to the class name that needs to be executed from the final payload to do all the malicious activities.

Figure 2: The C&C JSON response.

Upon receiving the JSON configuration from the C&C, the infected app downloads the payload from the received location and executes it. 

Figure 3: The final payload download.

 

Scenario 2: One-stage download

In some apps, we observed that for retrieving the final payload, the infected Google Play app uses a stager payload. Here the infected Google Play store app has the stager payload URL encoded in the code itself encrypted using Advanced Encryption Standard (AES). Upon infection, unlike scenario 1, it downloads the stager payload rather than a final payload, as seen in Figure 4 and Figure 5.

We also saw two varieties of the stager payload—an Android Package (APK) or a Dalvik executable file.

Figure 4: The Dalvik executable stager payload download.

Figure 5: The APK stager payload download.

The job of this stager payload is to simply retrieve the final payload URL from the code and download it. Along with the payload download, it is responsible for executing the final payload as well.

In the stager payload, we also saw some different tactics used by the malware author to hide the final payload URL. We saw instances where the final payload is obfuscated with AES and, in some cases, we saw simple shift operation was used to obfuscate the final payload URL.

In some cases, the final payload URL was also in plain text.

Figure 6: AES encryption for the end payload URL.

Figure 7: The plain text end payload URL.

Figure 8: The plain text end payload URL.

Figure 9: The obfuscated end payload URL with Shift encoding

Upon execution, it downloads the final stage payload, which is the core Joker malware doing all the infection activities ranging from premium SMS subscription scam to spyware activities, as seen in Figure 10.

Figure 10: The end payload download.

 

Scenario 3 : Two-stage download

In some groups of infected Google Play store apps, we saw two-stager payload downloads used to retrieve the final payload. Here, the Google Play infected app downloads the stage one payload, which downloads the stage two payload, which finally loads the end Joker payload.

Interestingly, unlike previous two scenarios, the infected app contacts the C&C server for the stage one payload URL, which hides it in response location header.

Figure 11: The C&C response for the stage one payload URL.

Upon infecting the device, the infected app downloads the stage one payload from the received URL from the C&C in the response header. Like scenario two, the job of this payload is to simply download another payload but this time it won't be the final payload. Observe the below screenshot for the same activity.

Figure 12: The stage two URL in stage one code.

Upon execution of the stage one payload, it downloads the stage two payload. The stage two payload exhibits the same behavior as the stage one payload. It includes the hard-coded URL, which retrieves the final payload as shown in Figure 13.

Figure 13: The final payload URL in the stage two code.

 

Final payload details

Although these variations were used by Joker to reach the end payload, we saw the same end payload downloaded in all the cases. Here are some highlights of the final payload activities.

The final payload employs DES encryption to execute the C&C activities.

Figure 14: The DES encryption for the C&C post request.

Figure 15 shows the network patterns used by Joker to execute the C&C activities.

Figure 15: The C&C pattern for the post request.

The end payload also employs string obfuscation to hide all the important strings. It uses string “nus106ba” to break all the important strings to hide it from simple string search.

Figure 16: The string obfuscation.

Figure 17 shows the SMS harvesting and WAP fraud done by Joker.

Figure 17: The WAP fraud.

This post provides in-depth details related to end payload activities done by Joker.

 

Recommandation

We recommend paying close attention to the permission list in the apps that you install on your Android device. Always watch out for the risky permissions related to SMS, call logs, contacts, and more. Reading the comment or reviews on the app page aslo helps identify compromised apps.

 

IOCs

Infected Apps on GooglePlay:

 

MD5s

Package Name

2086f0d40e611c25357e8906ebb10cd1

com.carefrendly.message.chat

b8dea8e30c9f8dc5d81a5c205ef6547b

com.docscannercamscanpaper

5a5756e394d751fae29fada67d498db3

com.focusphoto.talent.editor

8dca20f649f4326fb4449e99f7823a85

com.language.translate.desire.voicetranlate

6c34f9d6264e4c3ec2ef846d0badc9bd

com.nightsapp.translate.sentence

04b22ab4921d01199c9a578d723dc6d6

com.password.quickly.applock

b488c44a30878b10f78d674fc98714b0

com.styles.simple.photocollage.photos

a6c412c2e266039f2d4a8096b7013f77

com.unique.input.style.my.keyboard

4c5461634ee23a4ca4884fc9f9ddb348

dirsms.welcome.android.dir.messenger

e4065f0f5e3a1be6a56140ed6ef73df7

pdf.converter.image.scanner.files

bfd2708725bd22ca748140961b5bfa2a

message.standardsms.partmessenger

164322de2c46d4244341e250a3d44165

mintleaf.message.messenger.tosms.ml

88ed9afb4e532601729aab511c474e9a

omg.documents.blue.pdfscanner

27e01dd651cf6d3362e28b7628fe65a4

pdf.maker.scan.image.phone.scanner

e7b8f388051a0172846d3b3f7a3abd64

prisms.texting.messenger.coolsms

0ab0eca13d1c17e045a649be27927864

com.gooders.pdfscanner.gp

bfbe04fd0dd4fa593bc3df65a831c1be

com.powerful.phone.android.cleaner

 

 

URLs of payload distribution

blackdragon[.]oss-ap-southeast-5[.]aliyuncs[.]com/privateSMS_ba[.]htm

blackdragon03[.]oss-ap-southeast-5[.]aliyuncs[.]com/partMessage_base[.]css

blackdragon03[.]oss-ap-southeast-5[.]aliyuncs[.]com/partMessage_config[.]json

nineth03[.]oss-ap-southeast-5[.]aliyuncs[.]com/MeticulousScanner_bs[.]mp3

sahar[.]oss-us-east-1[.]aliyuncs[.]com/care[.]asf

sahar[.]oss-us-east-1[.]aliyuncs[.]com/onesentence[.]asf

sahar[.]oss-us-east-1[.]aliyuncs[.]com/onesentence2[.]asf

sahar[.]oss-us-east-1[.]aliyuncs[.]com/saiks[.]asf

sahar[.]oss-us-east-1[.]aliyuncs[.]com/tangram[.]asf

sahar[.]oss-us-east-1[.]aliyuncs[.]com/tangram2[.]asf

sahar[.]oss-us-east-1[.]aliyuncs[.]com/twinkle[.]asf

2j1i9uqw[.]oss-eu-central-1[.]aliyuncs[.]com/328718737/armeabi-v7a/ihuq[.]sky

blackdragon[.]oss-ap-southeast-5[.]aliyuncs[.]com/blackdragon[.]html

blackdragon[.]oss-ap-southeast-5[.]aliyuncs[.]com/privateSMS[.]json

fgcxweasqw[.]oss-eu-central-1[.]aliyuncs[.]com/fdcxqewsswq/dir[.]png

jk8681oy[.]oss-eu-central-1[.]aliyuncs[.]com/fsaxaweqwa/amly[.]art

n47n[.]oss-ap-southeast-5[.]aliyuncs[.]com/H20PDF29[.]txt

n47n[.]oss-ap-southeast-5[.]aliyuncs[.]com/font106[.]ttf

nineth03[.]oss-ap-southeast-5[.]aliyuncs[.]com/blackdragon[.]html

proxy48[.]oss-eu-central-1[.]aliyuncs[.]com/m94[.]dir

proxy48[.]oss-eu-central-1[.]aliyuncs[.]com/response[.]js

laodaoo[.]oss-ap-southeast-5.aliyuncs[.]com/allgood2[.]webp

laodaoo[.]oss-ap-southeast-5[.]aliyuncs[.]com/flower[.]webp

rinimae[.]oss-ap-southeast-5[.]aliyuncs.com/powerful[.]mov

rinimae[.]oss-ap-southeast-5[.]aliyuncs.com/powerful2[.]mov

rinimae[.]oss-ap-southeast-5[.]aliyuncs.com//intro[.]mov

 

Final C&C:

161[.]117[.]229[.]58

161[.]117[.]83[.]26

47[.]74[.]179[.]177

 

References:

https://twitter.com/ReBensk

https://www.anquanke.com/post/id/211978

 



Suggested Blogs