Analysis of Android Malware Joker's new communication techniques

The Joker malware is back in the Google PlayStore and this time with a different communication technique than the usual one.

This new communication technique has triggered interest in us to write this blog detailing the behaviour analysis that we obtained from our automated SecneurX Advanced Dynamic Malware Analysis Platform. The package names and the Indicator of Compromises from our Malware Analysis is listed at the bottom of this article for interested analysts.

SecneurX has been detecting these variants of Joker Malware campaign since March 2021. We have been reporting these malicious apps to The Google Play and Android Security Team and they have been removing these reported apps from Google PlayStore.

Joker malware is popular because, it is notorious for stealing money from users by enrolling them to premium subscriptions without their knowledge. It then reads the victim's SMS messages, contact lists and user data to validate payments.

This analysis, details the current encode method that Joker malware employs in its communication with the Command and Control ( C2). In the past this malware used multiple communications to download the malicious payload. These payloads are usually in a dex file or as PK ( Archive file) and used base64 encoding to communicate with C2.

In the recent variants, we observed that the malware is adopting a different encoding method to download payload and the observations are below

The second stage payload downloaded from C2 is XOR encoded.

The malware will XOR decode the payload which contains the C2 URL for next stage download.

The malicious code communicates to C2 with XXTEA Encryption with the key which is hardcoded in the payload.

In most sample 'testxx1234567890' is the encryption key that was used.

Sample encrypted communication to C2 using POST is as below.

Conclusion

The Joker campaign is still active in Google PlayStore. SecneurX is constantly on the lookout for malicious applications in Google PlayStore. The malicious applications that we identify, and it's associated IOC's, are reported to The Google Play and Android Security Team for the malicious app removal.

To get immediate notifications of our posts on malicious applications, Follow us on our twitter handle (@secneurx)

Package Name

com.motionalapps.enentappstickers

com.freedowm.freescanner.wangzhescanner

com.onimagetouao.oceanwallpapers

com.asdka.asaa

con.greencleaner.tab

sadkljz.sf.dfga.as

com.amalidoc.pdfcamerascanner

coc.handy.translation

com.skysms.skymessage.messages

sda.ksanjaw.ksdk

com.freephotokey.easytouse.randomkeyboard

com.senvetir.heartpulse

skamdka.zmaawedw

io.scanner.pluss

com.sentivetiy.bloodrecordor

com.binggogo.bingogo

com.element.domain.myscanner

com.sayvoice.sunny.translator

com.nbgwdm.cuiziwallpaper

co.Photo.Custom.Keyboard

com.newnewwawawords.wordsnotebook

cut.myapp.photo

com.delux.Keyboard

com.xxlsbcmccz.litepocketwallpapers