The Joker – Android Malware

An article on the CSIS TechBlog looks into a new Android Trojan named “Joker” which was detected in 24 apps on the GooglePlay store. It has been collectively downloaded more than 472,000 times. After an infected app is installed, a second stage is downloaded that can steal the victim’s SMS messages, contact list, and information about the device, which it sends to is C&C server.

It is also able to interact with advertising sites automatically and silently sign users up for paid subscription services. The malware operates conditionally on the geography in which an infected device is located. Some 37 countries were identified as being targeted by the malware.

The Joker malware only attacks targeted countries. Most of the infected apps contain a list of Mobile Country Codes (MCC) and the victim has to be using a SIM card from one of these countries in order to receive the second stage payload. The majority of the discovered apps target the EU and Asian countries, however, some apps allow for any country to join.

The malware is controllable by the C&C server operators, which allows them to craft specific jobs and tasks.

Further details – https://medium.com/csis-techblog/analysis-of-joker-a-spy-premium-subscription-bot-on-googleplay-9ad24f044451

YARA Rule

Loader YARA rule:
rule android_joker {
strings:
$c = { 52656D6F746520436C6F616B } // Remote Cloak
$cerr = { 6E6574776F726B2069737375653A20747279206C61746572 } // network issue: try later
$net = { 2F6170692F636B776B736C3F6963633D } // /api/ckwksl?icc=
$ip = { 332E3132322E3134332E3236 } // 3.122.143.26
condition:
($c and $cerr) or $net or $ip
}

Indicators of Compromise

The first stage (payload distribution) C&C: http://3.122.143[.]26/
Main C&Cs:
http://joker2.dolphinsclean[.]com/
http://beatleslover[.]com/
http://47.254.144[.]154/Second stage binaries (Core):
https://s3.amazonaws.com/media.site-group-df[.]com/s8-release
https://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/s8–5-release
https://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/s8-5-dsp-release
https://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/s8-all
https://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/s9-3-sendsms
https://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/s9–6-release
https://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/s9–6–2-release
https://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/s9-6-3
https://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/Y12-all-no-log
https://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/Y12-no-log
https://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/Y13-all
https://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/Y13-all-v2-no-log

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: