The Joker malware is back in the Google PlayStore and this time with a different communication technique than the usual one.
This new communication technique has triggered interest in us to write this blog detailing the behaviour analysis that we obtained from our automated SecneurX Advanced Dynamic Malware Analysis Platform. The package names and the Indicator of Compromises from our Malware Analysis is listed at the bottom of this article for interested analysts.
SecneurX has been detecting these variants of Joker Malware campaign since March 2021. We have been reporting these malicious apps to The Google Play and Android Security Team and they have been removing these reported apps from Google PlayStore.
Joker malware is popular because, it is notorious for stealing money from users by enrolling them to premium subscriptions without their knowledge. It then reads the victim's SMS messages, contact lists and user data to validate payments.
This analysis, details the current encode method that Joker malware employs in its communication with the Command and Control ( C2). In the past this malware used multiple communications to download the malicious payload. These payloads are usually in a dex file or as PK ( Archive file) and used base64 encoding to communicate with C2.
In the recent variants, we observed that the malware is adopting a different encoding method to download payload and the observations are below
The second stage payload downloaded from C2 is XOR encoded.
The malware will XOR decode the payload which contains the C2 URL for next stage download.
The malicious code communicates to C2 with XXTEA Encryption with the key which is hardcoded in the payload.
In most sample 'testxx1234567890' is the encryption key that was used.
Sample encrypted communication to C2 using POST is as below.
Conclusion
The Joker campaign is still active in Google PlayStore. SecneurX is constantly on the lookout for malicious applications in Google PlayStore. The malicious applications that we identify, and it's associated IOC's, are reported to The Google Play and Android Security Team for the malicious app removal.
To get immediate notifications of our posts on malicious applications, Follow us on our twitter handle (@secneurx)
Package Name
com.motionalapps.enentappstickers
com.freedowm.freescanner.wangzhescanner
com.onimagetouao.oceanwallpapers
com.asdka.asaa
con.greencleaner.tab
sadkljz.sf.dfga.as
com.amalidoc.pdfcamerascanner
coc.handy.translation
com.skysms.skymessage.messages
sda.ksanjaw.ksdk
com.freephotokey.easytouse.randomkeyboard
com.senvetir.heartpulse
skamdka.zmaawedw
io.scanner.pluss
com.sentivetiy.bloodrecordor
com.binggogo.bingogo
com.element.domain.myscanner
com.sayvoice.sunny.translator
com.nbgwdm.cuiziwallpaper
co.Photo.Custom.Keyboard
com.newnewwawawords.wordsnotebook
cut.myapp.photo
com.delux.Keyboard
com.xxlsbcmccz.litepocketwallpapers
IOC
hxxp://tpfl[.]oss-us-east-1[.]aliyuncs[.]com/h
hxxp://tpfl[.]oss-us-east-1[.]aliyuncs[.]com/mn
hxxp://tpfl[.]oss-us-east-1[.]aliyuncs[.]com/apps
hxxp://tpfl[.]oss-us-east-1[.]aliyuncs[.]com/motionstickers
hxxp://buckts[.]oss-me-east-1[.]aliyuncs[.]com/wd
hxxp://buckts[.]oss-me-east-1[.]aliyuncs[.]com/sdf
hxxp://dagmar[.]oss-us-east-1[.]aliyuncs[.]com/Handy/HY
hxxp://517-1305586011[.]cos[.]na-toronto[.]myqcloud[.]com/b
hxxp://smas[.]oss-us-east-1[.]aliyuncs[.]com/mg[.]js
hxxp://61toolll[.]oss-us-east-1[.]aliyuncs[.]com/heart
hxxp://61toolll[.]oss-us-east-1[.]aliyuncs[.]com/heart_sub
hxxp://512-1305586011[.]cos[.]na-ashburn[.]myqcloud[.]com/a1
hxxp://gaikai[.]work/fbid/?ts=xxx&id=jfi&ct=in&cd=40480
hxxp://spotifly[.]world/fbid/?ts=16227XXXX8259&id=jga&ct=in&cd=40480
hxxp://20210419-1305586011[.]cos[.]na-toronto[.]myqcloud[.]com/11
hxxp://20210419-1305586011[.]cos[.]na-toronto[.]myqcloud[.]com/22
hxxp://ssssmmm-1259272850[.]cos[.]ap-mumbai[.]myqcloud[.]com/voice
hxxp://517-1305586011[.]cos[.]na-toronto[.]myqcloud[.]com/b2
hxxp://517-1305586011[.]cos[.]na-toronto[.]myqcloud[.]com/b_sub2
SHA256
03a9d0eeed89308883acb9c6b66ee503424e0bb8173d495a868e22597ba692a9
1cb944c1a733f2eed30d22d4beaf3a8153df0c1b04b8859bab28d3f20b658010
1cc684d36748f1fc0847455b0d1edf8980da4ce992c6b61c8a78fc7e03a02f1a
1eb1e2c49c8a69f9ce96e0aa43579398a1f07cfddee37737f843f2138cbb1553
1f681a25083ad476c928ab95654977937b16c253343ab6655c70d758d4d36afa
2e8239ded6e16fab08ca189c47889a463062e29662183969d2b321353179ffad
312c6d305367f7d6f624424d1fc227f6a6c02058fe7d4acbac5bf1a84d6ac3ed
50aeb373d17273fe46276526447e86bc3900afecef2706bc00da3fc445d2752a
5e4de923263f545bcb38079c4a6589dccaea745e67dcac9717a6961253a7646c
61149103281d06d59f3d3ded8543150f1e7d2e8f8ca8efef2ec8a0944eedb64f
7ca1cee9a14973457a210b0f79bfd26d91a8db47174230b117a5aa11b9db2d91
825fb74888595517a10c7328bd24b8ec523fc59ba974c3cebba0c1fcf46ace24
83e3b60f804d8d8cb2e5926d0ce7381d025aba2f53b3ec7395732fca01d4f9df
87e9c84fd8e95a7b4af395e16573a3a15eda53916a761fb817dd4cd7cadf630d
9a4ba7e2b108320f8beef3f03f6e9781c3fcf6db17d75257ce3b0940f90f2b25
c55a1f0344582b1a4f06199bf2abc2e6cb11c22b18e1c86bbef433ab4b782ef4
ca492de4bf47fd1748bacdac71f0b53d75e9291c68756f6be37a3c6de12ad9aa
d97fbf641da16a4edc5b9700b3861cdf4eb3c79d0a16f91f4a0e4153fee1eacc
da3888be9a79e4f44ecdbad4436ae4f1f300b63778be7b7bc0f91a82faa35934
f3d5090767f67ff27b7d27065b252b35e8f87a7eca6ec9ce9589b195bbf3c928
f75372bf1f408211d8205a3f971bb33d5b559cfc5540a58848d9091fa6d17ffb
fa265f1b847a2ae187408ff051a7e81b9eb41e0612f60c1578d9930d6741b2eb
Payload
d5c641a2f2ebdc4ee41d56a654974d97ed3f01d3c6a56cacb684b606e9c99e91
f9a6eef52d031e0e39955f82688a0112b11ddf1401d3bf5b47bc94ca92548104
1f6cadd18c5289482d5ff1347cfac2a82256a23661bb8f89b93a18eb9b21a190
0683d22eda33973dce0f363468595219c022b9123285820d4769e419e52dd695
d7d41514569234c663c6af5f92a9b0961e1d93eee4abf121f54cb76ccb2b5c01
65921a9b9299d417bc3985d2570f0a326cc4c880284b9426d4282f20da3ec3ea
cdc043bbdd56900beb9b06d9366c6a7ff3b0f9b0cbb48f16be838e49bda5eca8
a254ba1293f61c7df1b8f94741e7900cc0be0100d20bde0a2a2472c20e725be6
c7a65f70d5230e2ad95c442f368385a22221a62aea9949cc67c8f26930e46f56
d4572d7390ae7799865cfc41b3c58eadcefcebca999bcfc169c9a4d1276d5334
4bad3aa9b50ad2a149bc504ea695c3e48cb40dd019829143057e067a3c6726bc
d6c4026b62595ad402fcf8ba43e007ea8149d611cf54cbffcec18a0c0fe1fd4f
157790784c45a8ea0521ae8837d48e0d13a97ab6dff03571d59d27e6414118fe
a5b36628ce3afd9d07212859afd99dcd3d04dab2188d976b44b1a51d8917e340
c7d03052ce809091a8ab2a4a4b2871fc3bab9a56d8d3b73a6c467620113f4a01
748ecdcc777fdae47f19c28f226bcda9c460b4586729ed6385f030010f336c9f
83e681d6fd371be64db31a135f4788d3d984dde0124edf788473881901d6a0e8