Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Subscribe
Security Research

Joker Joking in Google Play

image
VIRAL GANDHI
July 20, 2021 - 8 min read

Joker is one of the most prominent malware families targeting Android devices. Despite public awareness of this particular malware, it keeps finding its way into Google’s official application market by employing changes in its code, execution methods, or payload-retrieving techniques. This spyware is designed to steal SMS messages, contact lists, and device information, and to sign the victim up for premium wireless application protocol (WAP) services.

Zscaler’s ThreatLabz research team has been constantly monitoring the Joker malware. Recently, we observed regular uploads of it onto the Google Play store. ThreatLabz notified the Google Android Security team, who have taken prompt action to remove the suspicious apps (listed below) from the Google Play store. 

This prompted us to evaluate how Joker is so successful at getting around the Google Play vetting process. We saw 11 different samples regularly uploaded to Google Play recently clocking 30k installs.

Image

The following are the names of the infected apps we discovered on the Google Play store:

  • Free Affluent Message
  • PDF Photo Scanner
  • delux Keyboard
  • Comply QR Scanner
  • PDF Converter Scanner
  • Font Style Keyboard
  • Translate Free
  • Saying Message
  • Private Message
  • Read Scanner
  • Print Scanner

Targeted Categories:

Joker malware authors have targeted some categories of apps more than others. Based on the 50+ payloads we have seen in the last 2.5 months, we have found the following 5 categories being targeted the most heavily:

  • Health & Fitness
  • Photography
  • Tools
  • Personalization
  • Communication

The “Tools” category has been the favorite target of the Joker malware author, accounting for 41% of the total payloads we have seen. “Communication” and “Personalization” are the next most affected categories with 28% and 22% of payload uploads respectively. The “Photography” category saw 7% payloads. “Health & Fitness” made up the final 2% of payloads; we believe this category is a new addition as we have not seen this category targeted previously. 

Image

Publisher Names:

Joker authors appear to use a name dictionary system to derive the publisher names for their malicious apps. All the Joker dropper malware have used full (first and last) names for developers, as shown below. Each developer has only one app registered to them as well. Such information serves as indicators to help us identify potential Joker malware -- though these criteria can certainly apply to legitimate apps as well.

Publisher Names

 

New Tactics From Joker Malware Authors:

Joker is well known for changing its tactics to bypass the Google Play store vetting process. This time we saw Joker using URL shortener services to retrieve the first level of payload. Unlike the previous campaign where the payloads were retrieved from the Alibaba Cloud, in this campaign we saw the Joker-infected apps download the mediator payload with URL shortener services like TinyURL, bit.ly, Rebrand.ly, zws.im or 27url.cn to hide the known Cloud service URLs serving stage payloads. Image

Fig 1: URL shortener service TinyURL

Image

Fig 2: URL shortener service Rebrand.ly

 

Example execution flow:

Image

C2 Changes:

From the previous encounter, we also observed updated command and control center (C2) URIs. In the previous campaign, we saw the C&C URI pattern was “/k3z0/B9MO/” which changed in the newer payload to “/svhyqj/mjcxzy”.

 

Image

Fig 3: Old C2 communication

Image

Fig 4: New C2 communication

 

String Obfuscation Key Changes:

In the previous campaign, we saw the end payload use the string “nus106ba” to obfuscate the important information. It has been changed to “nus35ba” which can be observed in the below screenshot. We have also observed that the string which obfuscates sensitive strings such as C2 addresses keeps changing with the format “nus*ba” (where * represents a 2 or 3 digit number).

Image

Fig 5: String Obfuscation examples

 

Image 

Fig 6:String Obfuscation examples

 

Abusing The Notification Access:

In this campaign, the Joker malware payloads abuse the notification access functionality. Once installed, the malware prompts for notification access to the user as shown in the below screenshot. The notification access grants permissions to potentially read all notifications posted by the device and any other installed applications. Once these settings have been allowed by the user, the malware has the control it needs to carry out its malicious activities.

Notification Access

Fig 7: Notification Access

Following is the code routine for Notification access by stager payload.

Image

Fig 8: Code Routine for Notificationation Access Abuse

Following is the code routine for Notification access by the final payload.

Image

Image

Fig 9: Code Routine for Notification Access Abuse

 

New Variant Or Smart New Stage Payload?

In analyzing the Joker campaign from the past two months, we came across two instances of what we consider to be the newest variant, which has substantial differences. The app Font Style Keyboard is found to incorporate new changes from the older payloads.

New variant

In this Joker downloader app, we observed that the zws.im URL shortening service was leveraged to download the stage 1 payload. Image

Fig 10: Stage 1 Payload delivery URL

The Google Play store app connects to the zws.im URL shortener service which then responds with the URL to download the stage 1 payload.

Image

Fig 11: Stage 1 download from Google Play Store app

Like the normal Joker campaign, this stage 1 payload has an embedded URL to download the next stage payload or the final stage payload. In this piece of malware, we saw the end payload was retrieved from the stage 1 payload as shown below.

Image

Fig 12: Embedded second-stage payload.

Image

Fig 13: Download of a second-stage payload.

From this point on, this variant deviates quite a bit from the normal routine of the Joker Campaign. In the previous Joker campaigns (or even the recent examples shown at the start of the writeup), the embedded URL in stage one was directly serving the Dalvik executables which are loaded by the stage one payload for further execution. In the new variant, the embedded URLs now serve the raw data which is later converted to the next stage payload via an XOR operation with a hardcoded key as shown in the below figure.

Image

Fig 14: XORed with hardcoded key

Along with the XORed stage payload, another change to the stage binaries is that now the Joker stage payload also checks to see if specific apps are installed on the infected devices. Observe below.

Image

Fig 15: Checks for the installed apps

The following are the apps that the stage payload checks for. These are also available on the Google Play store.

Image

 

The stage payload will only continue certain activities if any of the above apps are not installed on the infected devices. From the listed apps categories and developer names we assume that these are again Joker-related apps that can be used to assess the infected devices. However, by the time of writing this, two of these apps have been taken down by the Google Play store and the rest are not working in our environment, so we cannot confirm that these are Joker malware.

Unlike the previous Joker campaigns, the stage payload is also doing command and control communication. The below screenshot exhibits the  activity from the staged payload. In the normal routine, we did not observe any network activity from the staged payload apart from straightforward downloads of the next stage payload. In this sample, we have found the staged payload connects to the gaikai[.]work domain by sending device information and receiving the commands from the server.

Image

Fig 16: C2 from stage payload

Along with this, we are also observing that the stage payload uses a XXTEA algorithm to encrypt the data being served to and by the C2 server. Below is the code routine for encryption and decryption of data with the hard-coded key.

 

Image

Fig 17: XXTEA encode and decode

We believe stage payload C2 activity is mainly used to screen the infected mobile phones that meet the trigger condition. The C2 server can issue an error_code field with a return value on which the malware will act accordingly to trigger certain malicious activities including SMS operations.

ImageImage

Fig 18: XXTEA decode

In the normal Joker infection cycle the intermediate payloads will directly drop the final stage payload, whereas in this smart stage payload, we saw the final stage payload will only be downloaded if the infected device has a Thailand Mobile SIM card. Observe the below screenshot.

Image

Fig 19: Final stage download.

 

Conclusion:

The Joker malware authors are very active and innovating on their tactics in their attempts to bypass the vetting process of the Google Play store. Judging by the number of payloads uploaded to Google Play, we can safely say that the Joker malware authors are succeeding in their efforts.

At ThreatLabz, we constantly monitor the newly added apps to the Google Play store for such incidents and help remove them from the Google Play store by collaborating with the Google Security Team.

The Google Play store is not the only place that Joker malware can be found. These same apps are uploaded to other third-party app stores as well due to those stores’ regular crawling activities on the Google Play store. Malicious apps have been promptly removed from the Play store upon being reported by the security community or caught by their vetting process, but these apps can live longer in the third-party app stores who do not perform these same actions. Hence, we still recommend using Google Play store for downloading any mobile app.

 

Package Names:

com.affluent.messenger

Free Affluent Message

com.tc.pdfscanner

PDF Photo Scanner

com.delux.Keyboard

delux Keyboard

com.comply.qrscan

Comply QR Scanner

com.converter.pdfscanner

PDF Converter Scanner

r4d236dTy.rc5a682Ty.r7a6011Ty

Font Style Keyboard

com.text.translate.freegp

Translate Free

say.freetext

Saying Message

messenger.message.private

Private Message

com.totalcomapp.barcodereader

Read Scanner

com.scanner.sad.msgf.wq

Print Scanner

 

IOCs:

  • aiyama[.]oss-eu-west-1[.]aliyuncs.com/comply
  • aiyama[.]oss-eu-west-1[.]aliyuncs[.]com/P[.]pic
  • aiyama[.]oss-eu-west-1[.]aliyuncs[.]com/ys[.]pic
  • tatamm[.]oss-us-west-1[.]aliyuncs.com/halcy
  • tatamm[.]oss-us-west-1[.]aliyuncs[.]com/bac[.]pic
  • tatamm[.]oss-us-west-1[.]aliyuncs[.]com/tat[.]pic
  • voicesp[.]oss-us-east-1.aliyuncs[.]com
  • hd-background[.]oss-ap-southeast-1[.]aliyuncs[.]com/free
  • aiyama[.]oss-eu-west-1[.]aliyuncs.com/aff
  • 61toolll[.]oss-us-east-1[.]aliyuncs[.]com/funny_sub
  • 0701baibao-1305586011[.]cos[.]ap-nanjing[.]myqcloud.com/a
  • 0701baibao-1305586011[.]cos[.]ap-nanjing[.]myqcloud[.]com/sub
  • warriorss[.]oss-us-west-1[.]aliyuncs[.]com/xhw/sub[.]apk
  • kadmg[.]oss-me-east-1[.]aliyuncs[.]com/apps

C&C:

  • 161[.]117[.]46[.]64
  • gaikai[.]work
  • spotifyly[.]world

 

form submtited
Thank you for reading

Was this post useful?

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.