Insights and Research

Joker, Facestealer and Coper banking malwares on Google Play store

Malwares on Google Play store

/blogs/security-research/joker-playing-hide-and-seek-google-play

Google Play Store is typically considered to be one of the safest sources for users to find and install android apps. However, threat actors continue to evolve their tactics and are able to successfully upload dangerous apps laced with malware on the Google play store. 

Recently, the Zscaler ThreatLabz team discovered apps involving multiple instances of the Joker, Facestealer, and Coper malware families spreading in the virtual marketplace. The ThreatLabz team immediately notified the Google Android Security team of these newly identified threats, and they promptly removed the malicious apps from the Google Play Store.

The following is the technical analysis of these three malware family payloads that were recently discovered in the Play Store:

 

Joker Malware

Joker is one of the most prominent malware families targeting Android devices. Despite public awareness of this particular malware, it keeps finding its way into Google’s official app store by regularly modifying the malware’s trace signatures including  updates to the code, execution methods, and payload-retrieving techniques. This malware is designed to steal SMS messages, contact lists, and device information, and to sign the victim up for premium wireless application protocol (WAP) services. Over the past two months, our ThreatLabz researchers discovered the following malicious Joker downloader apps in the Google Play Store:

 

Simple Note Scanner - com.wuwan.pdfscan

Universal PDF Scanner - com.unpdf.scan.read.docscanuniver

Private Messenger - com.recollect.linkus

Premium SMS - com.premium.put.trustsms

Smart Messages - com.toukyoursms.timemessages

Text Emoji SMS - messenger.itext.emoji.mesenger

Blood Pressure Checker - com.bloodpressurechecker.tangjiang

Funny Keyboard - com.soundly.galaxykeyboard

Memory Silent Camera - com.silentmenory.timcamera

Custom Themed Keyboard - com.custom.keyboardthemes.galaxiy

Light Messages - com.lilysmspro.lighting

Themes Photo Keyboard - com.themes.bgphotokeyboard

Send SMS - exazth.message.send.text.sms

Themes Chat Messenger - com.relish.messengers

Instant Messenger - com.sbdlsms.crazymessager.mmsrec

Cool Keyboard - com.colate.gthemekeyboard

Fonts Emoji Keyboard - com.zemoji.fontskeyboard

Mini PDF Scanner - com.mnscan.minipdf

Smart SMS Messages - com.sms.mms.message.ffei.free

Creative Emoji Keyboard - com.whiteemojis.creativekeyboard.ledsloard

Fancy SMS - con.sms.fancy

Fonts Emoji Keyboard - com.symbol.fonts.emojikeyboards

Personal Message - com.crown.personalmessage

Funny Emoji Message - com.funie.messagremo

Magic Photo Editor - com.amagiczy.photo.editor

Professional Messages - com.adore.attached.message

All Photo Translator - myphotocom.allfasttranslate.transationtranslator

Chat SMS - com.maskteslary.messages

Smile Emoji - com.balapp.smilewall.emoji

Wow Translator - com.imgtop.camtranslator

All Language Translate - com.exclusivez.alltranslate

Cool Messages - com.learningz.app.cool.messages

Blood Pressure Diary - bloodhold.nypressure.mainheart.ratemy.mo.depulse.app.tracker.diary

Chat Text SMS - com.echatsms.messageos

Hi Text SMS - ismos.mmsyes.message.texthitext.bobpsms

Emoji Theme Keyboard - com.gobacktheme.lovelyemojikeyboard

iMessager - start.me.messager

Text SMS - com.ptx.textsms

Camera Translator - com.haixgoback.outsidetext.languagecameratransla

Come Messages - com.itextsms.messagecoming

Painting Photo Editor - com.painting.pointeditor.photo

Rich Theme Message - com.getmanytimes.richsmsthememessenge

Quick Talk Message - mesages.qtsms.messenger

Advanced SMS - com.fromamsms.atadvancedmmsopp

Professional Messenger - com.akl.smspro.messenger

Classic Game Messenger - com.classcolor.formessenger.sic

Style Message - com.istyle.messagesty

Private Game Messages - com.message.game.india

Timestamp Camera - allready.taken.photobeauty.camera.timestamp

Social Message - com.colorsocial.message

 

ThreatLabz has discovered over 50 unique Joker downloader apps on the Play Store till now. All of these apps were downloaded over 300k times combined and they typically fall into one of the following common categories:

  • Communication
  • Health
  • Personalization
  • Photography
  • Tools

The following is the breakdown of the number of apps per category:

 

The tools and communication were among the most targeted categories covering the majority of the Joker-infected apps. ThreatLabz discovered daily uploads of apps containing the Joker malware indicating the high activity level and persistence of the adversary group. Consistent with previous findings, ThreatLabz latest discoveries belonging to the Joker malware campaign continue to follow similar developer naming patterns and use of familiar techniques. Check out our previous blog Joker Joking in Google Play for a more in-depth analysis of this specific campaign.

The following is the technical analysis of the Enjoy Message Joker app:

 

  • App Name: Enjoy Message 
  • Package Name: sms.ienjoy.joysms.message

The Joker malware authors develop and release a range of apps from the very complex to incredibly simple.  Instead of waiting for apps to gain a specified volume of installs and reviews before swapping for a malware-laced version, the Joker developers have taken to hiding the malicious payload in a common asset file and package application using commercial packers. Serving as one of the primary reasons why these malicious apps often go undetected by antivirus softwares and during evaluation by the Play Store.

Most commonly, threat actors disguise the Joker malware in messaging applications that require users to grant escalated access permissions by allowing them to serve as the default SMS app on the user's phone. The malware uses these advanced permissions to carry out its operations.

In the Enjoy SMS application, the payload is hidden in the known path but the path itself is obfuscated in the application's class.

Fig 1: Obfuscated path of the payload

Upon deobfuscation, the path becomes visible in the asset directory  "io/michaelrocks/libphonenumber/android/data/PhoneNumberAlternateFormatsProto_53" where payload is residing.

The package name of the application is used to derive the hash which is used as the AES decryption key. This key is used to decrypt the payload with an executable(.so) file which should contain the following declared functions.

Fig 2: Function/class names of similar known SDKs

To deter investigation, the class and method names of the functions appear similar to known SDKs.

"onInstall" function in the hidden dropped executable is called at runtime after loading executable by the "system.loadlibrary" function.

Fig 3: Implementation of malicious code inside executable

As shown above, the executable loads the method ‘Wnjre’ from the ‘com.Brling’ class. The dropped executable hides the payload with Base64 encryption.

Fig 4: Base64 encrypted content

The second payload downloads a known weaponized Java ARchive (JAR) file as a third payload as shown below.

Fig 5: Decrypted payload

The following are some examples of common techniques used by Joker Malware:

1. The app confirms if its package is still live on the Google Play Store.

Fig 6: Checks Google Play Store to confirm the app is still live.

2. Many Joker apps hide the payload in the assets folder of the Android Package Kit (APK) and creates an ARM ABI executable to avoid detection by most sandboxes which are based on x86 architecture.

3. Joker malware hides payloads with different types of encryption including,  XOR, AES, DES, ElGamal which are also commonly used with fake known asset files. Few of them have extensions like JSON, TTF, PNG or database files. In several examples, apps encrypted and hide the malicious payload in the meta-data of the app manifest file. More often, the decryption key is derived from the package name of the app possibly to avoid the additional effort of customizing decryption routines. 

Fig 7: ELGAMAL encryption

Fig 8: DES key derivation from the package name

IOCs:

  • http://givehotdog[.]com
  • https://trustcats[.]com
  • http://giveme8[.]com/
  • https://xjuys[.]oss-accelerate[.]aliyuncs[.]com/xjuys
  • http://139[.]177[.]180[.]78/hell
  • https://xjuys[.]oss-accelerate[.]aliyuncs[.]com/fbhx1
  • https://xjuys.oss-accelerate[.]aliyuncs[.]com/fbhx2

 

FaceStealer Malware

Facestealer malware was also discovered on the Google Play Store, known for targeting Facebook users with fake Facebook login screens. Once the device is infected, the user is prompted to login to Facebook and can’t use the app without entering their credentials. Upon successful login, the credentials as well as auth tokens are stolen by the malware author.

Fig 9: Fake Facebook login screen

The fake page shown above, opened by the app injects downloaded javascript from the server using WebView.

Fig 10: URL for downloading malicious JavaScript

Once enabled, the malware app reaches out to the command and control (C2) server to download the malicious javascript. The URL, https://busynow[.]store/config, is still active and in the latest update, the malware authors added a character to fail the automatic decode of the Base64 encoded string. In the following screenshots, the added extra “W” character will cause the decode failure and revert to plaintext.

Base64 Decode

Fig 11: Base64 decoded

As shown in the screenshotbelow, stolen credentials and tokens are sent to the C2 serverwith the help of javascript loaded with malicious code.

Fig 12: Shows the "c_url" parameter for a remote C2 stealing facebook credentials. 

IOCs:

  • busynow[.]store
  • Zs8668[.]com
  • kcoffni[.]xyz

 

Coper Malware

Coper is a well known trojan that targets banking applications in Europe, Australia, and South America   disguised as a legitimate app in the Google Play Store. Once downloaded, this app unleashes the Coper malware infection which is capable of intercepting and sending SMS text messages, making USSD (Unstructured Supplementary Service Data) requests to send messages, keylogging, locking/unlocking the device screen, performing overly attacks, preventing uninstalls and generally allowing attackers to take control and execute commands on infected device via remote connection with a C2 server. The result of these activities ultimately leads to attackers gaining information and access they can leverage to steal money from victims. 

  • App Name: Unicc QR Scanner
  • Package name: com.qrdscannerratedx
  • Sha256: 02499a198a8be5e203b7929287115cc84d286fc6afdb1bc84f902e433a7961e4

Fig 13: Unicc QR Scanner app laced with Coper malware on Google Play Store

 

This app disguises itself as a free QR scanner. Once installed, the app immediately prompts the user to update the app.

Infection Cycle

Fig 14: Screenshots show the process of enabling the malware infection by asking the user to upgrade the app, then prompting them to further grant advanced access permissions to the app in their device settings.

Next, the threat actors use a trojan dropper designed to install malware or a backdoor to a device,  by leveraging the Google Firebase app developer tool to call-out and receive the URL that will deliver the malicious payload as shown in the screenshot below.

FireBase

Fig 15: Firebase call-out

The malware downloads a configuration  that includes the URL hosting the new and malicious payload. As shown in the screenshot below, the name of the new payload is set by the android Shared Preferences file. The name of the installed payload also continues to change as well.

Pyaload

Fig 16: Shared preferences

The newly installed file is a fake Google Play Store app on the device with the package name “com.fromtoo2”  that immediately prompts the user to grant escalated accessibility permission and gain full control of the user's phone.

In the background, the fake Google Play Store app loads the libWeEq.so executable file and calls the predefined MvsEujZ function as further shown and described below.

Fig 17: MvsEujZ function called from executable file

The MvsEujZ function shown above decrypts a runnable file with a static key found in the executable and prompts the user to grant escalated  accessibility permissions at launch. After decrypting with libWeEq.so, the Coper code base becomes visible, as shown in the below screenshot.

Fig 18: Coper codebase

This final payload  uses Rivest Cipher 4 (RC4) encryption to hide its malicious signatures  and avoid detection. The following screenshot shows the decrypted C2 server addresses used by the Coper malware.

Fig 19: Screenshot shows the decoded contents of the payload

In the case that the Virtual Network Computing (VNC) service for remote-control access is not available, the malware authors leverage the android TeamViewer app to monitor the screen of the infected device as shown in the screenshot below.

Fig 20: Screenshot shows the code enabling attackers to use TeamViewer to monitor the screen of a device remotely

Finally, this last screenshot shows the backend of WebView where malicious javascript is loadedto enable the attackers to take full control through a C2 server connection and execute the actions they need to compromise and ultimately extort the victim.

Fig 21: Shows attackers leveraging the android developer app WebView 

IOCs:

  • raw[.]githubusercontent[.]com/k6062019/qq/main/porc[.]apk
  • abashkinokabashkinok[.]top/ZmEwY2ZmZWYzN2Mw/
  • asqwnbvb[.]shop/ZmEwY2ZmZWYzN2Mw/
  • barabashkinok[.]top/ZmEwY2ZmZWYzN2Mw/
  • ccnfddbvb[.]pics/ZmEwY2ZmZWYzN2Mw/
  • eendfbvb[.]sbs/ZmEwY2ZmZWYzN2Mw/
  • nbervbwe[.]monster/ZmEwY2ZmZWYzN2Mw/
  • nbrtvbsd[.]mom/ZmEwY2ZmZWYzN2Mw/
  • nbvb3954[.]fun/ZmEwY2ZmZWYzN2Mw/
  • nbvbvber[.]makeup/ZmEwY2ZmZWYzN2Mw/
  • nbvmnbbn[.]lol/ZmEwY2ZmZWYzN2Mw/
  • nbvvvb[.]hair/ZmEwY2ZmZWYzN2Mw/
  • nterospbnvdos[.]site/ZmEwY2ZmZWYzN2Mw/
  • nterospusios[.]shop/ZmEwY2ZmZWYzN2Mw/
  • ntospusios[.]top/ZmEwY2ZmZWYzN2Mw/
  • nytbvb[.]one/ZmEwY2ZmZWYzN2Mw/
  • qqnnffbvb[.]space/ZmEwY2ZmZWYzN2Mw/
  • qwnnnbvb[.]skin/ZmEwY2ZmZWYzN2Mw/
  • vbfdnbvb[.]online/ZmEwY2ZmZWYzN2Mw/
  • vntososupplsos[.]live/ZmEwY2ZmZWYzN2Mw/
  • wwereffnbvb[.]store/ZmEwY2ZmZWYzN2Mw/
  • xxfdnbvb[.]quest/ZmEwY2ZmZWYzN2Mw/

What Android user’s can do to avoid infection by these malwares: 

Don’t install unnecessary, untrusted, and un-vetted apps on your mobile device. Stick to the sources and providers you know and trust. Look for apps with very high install numbers and positive reviews. Seek out apps that are recommended by sources you trust and also feature lots of installs and positive reviews. 

Don't grant notifications listener permissions and escalated accessibility permissions to apps you don't fully trust. The notification listener service enables the package name of the app to be added to the enabled_notification_listeners provider. This enables read notifications and it includes critical access notifications like auto-generated one-time password/pin (OTP).

Avoid installing messaging apps if possible or use extreme caution and take the time to research and ensure that the app is well known and reviewed. Even when a link comes from a trusted friend asking you to download a messaging app, consider the possibility that your friend’s device may be compromised by malware and stop to confirm with them first, and then still take the time to conduct your own research and verify the app has a well-established and safe reputation before installing. Messaging apps require Read_SMS permission as their functionality and can easily leverage that permission to gain information including a key OTP they can use to further compromise victims.

If you become a victim of a malicious app from the Play Store, inform Google about it immediately through the support options in your play Store app. It is important that we work together to identify, flag, and remove malicious apps from our preferred app stores as soon as possible to limit the spread of malware and inhibit the success of threat actors. 

If you are responsible for protecting your corporate network, deploy Zscaler’s zero trust architecture to protect your users and prevent further compromise if a malicious app is downloaded by a user on their personal device.

 

Stay up to date with the latest digital transformation tips and news.

By submitting the form, you are agreeing to our privacy policy.