Science & Technology

Google Play store application re-mixed with joker malware

For the past three years, Joe Cartroy horses have appeared on the Google Play store. Quick Heal Security Labs recently discovered eight Joker malware in the Google Play store and reported them to Google. This has removed all applications.

Figure 1 Screenshot of Google Play Store application

Joker is a spyware Trojan that steals victims’ devices such as SMS messages, contact lists and device information. It then silently interacts with the advertising website and subscribes to premium services without the victim’s knowledge. In January, I reported a similar sample to Google and blog On the same.

Let’s take a look at one behavior of the application-

  • Application name: Element Scanner
  • Developer name: Obrian Connie
  • Downloads: 10K +

At startup, this application requests notification access used to retrieve notification data. This application retrieves SMS data from notifications, requests access to contacts, and creates and manages call permissions. It then acts like a document scanner application without showing the user any visible malicious activity.

Figure 2 Privileges required by the application

But in the background, it downloads two payloads one after another. The first payload is downloaded from Bitly’s shortened URL link that exists in the original application on the Google Play store. See figure. 3 This application has a link “h ** p: // bit”[.]ly / 3h T17RL “. This payload then downloads the next payload further from the link – “h ** p: // skullali[.]oss-me-east 1[.]aliyuncs.com/realease.mp3 “. This payload is nothing more than malicious joker malware.

Figure 3 Payload download flow

This final payload contains an .mp3 file (see Figure 4) that contains the code for notification access. onReceive How to collect received SMS data (see Figure 5).

Figure 4 Notification access code

Figure 5 Implementation of the onReceive method

Also check the country code of your SIM provider. If this code starts with “520”, that is, if the Sim provider’s country is Thailand, the user will subscribe to the premium service, as shown in Figure 5.

Figure.6 Subscription code

Malware authors are spreading these malware applications to scanner, wallpaper, and messaging applications on the Google Play Store. These types of applications can quickly become targets. Users should avoid such applications and use only those types of applications from trusted developers.

IOC:

MD5 Detection name
05710c8525f31535eb7338653429b1fa Android.Joker.Aad66
9add1126cd52900c06ce4fe58ffc5f25 Android.Jocker.Abd79
4705ce82dd8a969139f07b9576715dca Android.Agent.Aed3f
17c9de7d2a62fb0ed640fd2a348d6ffd Android.Joker.Af409
e4caf7c6a04139326d34bdb9b7282b00 Android.Agent.Aec9e
6b11d98e9713b3f3a53e201394c1247b Android.Joker.Af408
995caba3370a6df5e73790d3461811e9 Android.Joker.Af406
dfe73757188 ​​ebe9d10aded37b349400b Android.Joker.Af407

C2 server:

  • hxxp: // buckts[.]oss-me-east-1[.]aliyuncs[.]Com
  • hxxp: // wter[.]oss-us-east-1[.]aliyuncs[.]com /
  • hxxp: // skullali[.]oss-us-east-1[.]aliyuncs[.]com /
  • hxxp: //161.117.46.64/svhyqj/mjcxzy
  • hxxp: // suanleba[.]oss-us-west-1[.]aliyuncs[.]Com
  • hxxps: // new-sk. ]oss-ap-southeast-1. ]aliyuncs. ]com
  • hxxp: // 517-1305586011. ]cos. ]na-toronto. ]myqcloud. ]com / b2

Tips for ensuring safety

  • Download the application only from trusted sources such as the Google Play store.
  • Learn how to identify fake applications on the Google Play Store.
  • Do not click on alien links received via messages or other social media platforms.
  • Turn off installation from unknown source options.
  • Please read the pop-up message obtained from your Android system before approving / granting the new permission.
  • Malicious developers spoof the original application name and developer name. Therefore, make sure you are downloading only simple applications. Application descriptions often contain typos and grammatical errors. Check the developer’s website for a link on the application’s web page. If something looks weird or weird, don’t use it.
  • Reviews and ratings can be fake, but you’re still reading user reviews for your application and the experience of existing users may be helpful. Beware of low-rated reviews.
  • Check the number of application downloads — The number of popular application downloads is very high. However, keep in mind that some fake applications have been downloaded thousands or millions of times before they were discovered.
  • Avoid downloading applications from third-party app stores or links provided by SMS, email, or WhatsApp messages. Also, avoid installing applications that are downloaded after you click on an ad.
  • Secure yourself from Android malware with a trusted antivirus such as Quick Heal Mobile Security.

Digvijay Mane

Digvijay Mane