Joker is one of the most prominent malware families targeting Android devices. Despite public awareness of this particular malware, it keeps finding its way into Google’s official application market by employing changes in its code, execution methods, or payload-retrieving techniques. This spyware is designed to steal SMS messages, contact lists, and device information, and to sign the victim up for premium wireless application protocol (WAP) services.
Zscaler’s ThreatLabz research team has been constantly monitoring the Joker malware. Recently, we observed regular uploads of it onto the Google Play store. ThreatLabz notified the Google Android Security team, who have taken prompt action to remove the suspicious apps (listed below) from the Google Play store.
This prompted us to evaluate how Joker is so successful at getting around the Google Play vetting process. We saw 11 different samples regularly uploaded to Google Play recently clocking 30k installs.
The following are the names of the infected apps we discovered on the Google Play store:
- Free Affluent Message
- PDF Photo Scanner
- delux Keyboard
- Comply QR Scanner
- PDF Converter Scanner
- Font Style Keyboard
- Translate Free
- Saying Message
- Private Message
- Read Scanner
- Print Scanner
Joker malware authors have targeted some categories of apps more than others. Based on the 50+ payloads we have seen in the last 2.5 months, we have found the following 5 categories being targeted the most heavily:
- Health & Fitness
The “Tools” category has been the favorite target of the Joker malware author, accounting for 41% of the total payloads we have seen. “Communication” and “Personalization” are the next most affected categories with 28% and 22% of payload uploads respectively. The “Photography” category saw 7% payloads. “Health & Fitness” made up the final 2% of payloads; we believe this category is a new addition as we have not seen this category targeted previously.
Joker authors appear to use a name dictionary system to derive the publisher names for their malicious apps. All the Joker dropper malware have used full (first and last) names for developers, as shown below. Each developer has only one app registered to them as well. Such information serves as indicators to help us identify potential Joker malware -- though these criteria can certainly apply to legitimate apps as well.
New Tactics From Joker Malware Authors:
Joker is well known for changing its tactics to bypass the Google Play store vetting process. This time we saw Joker using URL shortener services to retrieve the first level of payload. Unlike the previous campaign where the payloads were retrieved from the Alibaba Cloud, in this campaign we saw the Joker-infected apps download the mediator payload with URL shortener services like TinyURL, bit.ly, Rebrand.ly, zws.im or 27url.cn to hide the known Cloud service URLs serving stage payloads.
Fig 1: URL shortener service TinyURL
Fig 2: URL shortener service Rebrand.ly
Example execution flow:
From the previous encounter, we also observed updated command and control center (C2) URIs. In the previous campaign, we saw the C&C URI pattern was “/k3z0/B9MO/” which changed in the newer payload to “/svhyqj/mjcxzy”.
Fig 3: Old C2 communication
Fig 4: New C2 communication
String Obfuscation Key Changes:
In the previous campaign, we saw the end payload use the string “nus106ba” to obfuscate the important information. It has been changed to “nus35ba” which can be observed in the below screenshot. We have also observed that the string which obfuscates sensitive strings such as C2 addresses keeps changing with the format “nus*ba” (where * represents a 2 or 3 digit number).
Fig 5: String Obfuscation examples
Fig 6:String Obfuscation examples
Abusing The Notification Access:
In this campaign, the Joker malware payloads abuse the notification access functionality. Once installed, the malware prompts for notification access to the user as shown in the below screenshot. The notification access grants permissions to potentially read all notifications posted by the device and any other installed applications. Once these settings have been allowed by the user, the malware has the control it needs to carry out its malicious activities.
Fig 7: Notification Access
Following is the code routine for Notification access by stager payload.
Fig 8: Code Routine for Notificationation Access Abuse
Following is the code routine for Notification access by the final payload.
Fig 9: Code Routine for Notification Access Abuse
New Variant Or Smart New Stage Payload?
In analyzing the Joker campaign from the past two months, we came across two instances of what we consider to be the newest variant, which has substantial differences. The app Font Style Keyboard is found to incorporate new changes from the older payloads.
In this Joker downloader app, we observed that the zws.im URL shortening service was leveraged to download the stage 1 payload.
Fig 10: Stage 1 Payload delivery URL
The Google Play store app connects to the zws.im URL shortener service which then responds with the URL to download the stage 1 payload.
Fig 11: Stage 1 download from Google Play Store app
Like the normal Joker campaign, this stage 1 payload has an embedded URL to download the next stage payload or the final stage payload. In this piece of malware, we saw the end payload was retrieved from the stage 1 payload as shown below.
Fig 12: Embedded second-stage payload.
Fig 13: Download of a second-stage payload.
From this point on, this variant deviates quite a bit from the normal routine of the Joker Campaign. In the previous Joker campaigns (or even the recent examples shown at the start of the writeup), the embedded URL in stage one was directly serving the Dalvik executables which are loaded by the stage one payload for further execution. In the new variant, the embedded URLs now serve the raw data which is later converted to the next stage payload via an XOR operation with a hardcoded key as shown in the below figure.
Fig 14: XORed with hardcoded key
Along with the XORed stage payload, another change to the stage binaries is that now the Joker stage payload also checks to see if specific apps are installed on the infected devices. Observe below.
Fig 15: Checks for the installed apps
The following are the apps that the stage payload checks for. These are also available on the Google Play store.
The stage payload will only continue certain activities if any of the above apps are not installed on the infected devices. From the listed apps categories and developer names we assume that these are again Joker-related apps that can be used to assess the infected devices. However, by the time of writing this, two of these apps have been taken down by the Google Play store and the rest are not working in our environment, so we cannot confirm that these are Joker malware.
Unlike the previous Joker campaigns, the stage payload is also doing command and control communication. The below screenshot exhibits the activity from the staged payload. In the normal routine, we did not observe any network activity from the staged payload apart from straightforward downloads of the next stage payload. In this sample, we have found the staged payload connects to the gaikai[.]work domain by sending device information and receiving the commands from the server.
Fig 16: C2 from stage payload
Along with this, we are also observing that the stage payload uses a XXTEA algorithm to encrypt the data being served to and by the C2 server. Below is the code routine for encryption and decryption of data with the hard-coded key.
Fig 17: XXTEA encode and decode
We believe stage payload C2 activity is mainly used to screen the infected mobile phones that meet the trigger condition. The C2 server can issue an error_code field with a return value on which the malware will act accordingly to trigger certain malicious activities including SMS operations.
Fig 18: XXTEA decode
In the normal Joker infection cycle the intermediate payloads will directly drop the final stage payload, whereas in this smart stage payload, we saw the final stage payload will only be downloaded if the infected device has a Thailand Mobile SIM card. Observe the below screenshot.
Fig 19: Final stage download.
The Joker malware authors are very active and innovating on their tactics in their attempts to bypass the vetting process of the Google Play store. Judging by the number of payloads uploaded to Google Play, we can safely say that the Joker malware authors are succeeding in their efforts.
At ThreatLabz, we constantly monitor the newly added apps to the Google Play store for such incidents and help remove them from the Google Play store by collaborating with the Google Security Team.
The Google Play store is not the only place that Joker malware can be found. These same apps are uploaded to other third-party app stores as well due to those stores’ regular crawling activities on the Google Play store. Malicious apps have been promptly removed from the Play store upon being reported by the security community or caught by their vetting process, but these apps can live longer in the third-party app stores who do not perform these same actions. Hence, we still recommend using Google Play store for downloading any mobile app.
Free Affluent Message
PDF Photo Scanner
Comply QR Scanner
PDF Converter Scanner
Font Style Keyboard