For the past three years, Joe Cartroy horses have appeared on the Google Play store. Quick Heal Security Labs recently discovered eight Joker malware in the Google Play store and reported them to Google. This has removed all applications.
Figure 1 Screenshot of Google Play Store application
Joker is a spyware Trojan that steals victims’ devices such as SMS messages, contact lists and device information. It then silently interacts with the advertising website and subscribes to premium services without the victim’s knowledge. In January, I reported a similar sample to Google and blog On the same.
Let’s take a look at one behavior of the application-
- Application name: Element Scanner
- Developer name: Obrian Connie
- Downloads: 10K +
At startup, this application requests notification access used to retrieve notification data. This application retrieves SMS data from notifications, requests access to contacts, and creates and manages call permissions. It then acts like a document scanner application without showing the user any visible malicious activity.
Figure 2 Privileges required by the application
But in the background, it downloads two payloads one after another. The first payload is downloaded from Bitly’s shortened URL link that exists in the original application on the Google Play store. See figure. 3 This application has a link “h ** p: // bit”[.]ly / 3h T17RL “. This payload then downloads the next payload further from the link – “h ** p: // skullali[.]oss-me-east 1[.]aliyuncs.com/realease.mp3 “. This payload is nothing more than malicious joker malware.
Figure 3 Payload download flow
This final payload contains an .mp3 file (see Figure 4) that contains the code for notification access. onReceive How to collect received SMS data (see Figure 5).
Figure 4 Notification access code
Figure 5 Implementation of the onReceive method
Also check the country code of your SIM provider. If this code starts with “520”, that is, if the Sim provider’s country is Thailand, the user will subscribe to the premium service, as shown in Figure 5.
Figure.6 Subscription code
Malware authors are spreading these malware applications to scanner, wallpaper, and messaging applications on the Google Play Store. These types of applications can quickly become targets. Users should avoid such applications and use only those types of applications from trusted developers.
- hxxp: // buckts[.]oss-me-east-1[.]aliyuncs[.]Com
- hxxp: // wter[.]oss-us-east-1[.]aliyuncs[.]com /
- hxxp: // skullali[.]oss-us-east-1[.]aliyuncs[.]com /
- hxxp: //184.108.40.206/svhyqj/mjcxzy
- hxxp: // suanleba[.]oss-us-west-1[.]aliyuncs[.]Com
- hxxps: // new-sk. ]oss-ap-southeast-1. ]aliyuncs. ]com
- hxxp: // 517-1305586011. ]cos. ]na-toronto. ]myqcloud. ]com / b2
Tips for ensuring safety
- Download the application only from trusted sources such as the Google Play store.
- Learn how to identify fake applications on the Google Play Store.
- Do not click on alien links received via messages or other social media platforms.
- Turn off installation from unknown source options.
- Please read the pop-up message obtained from your Android system before approving / granting the new permission.
- Malicious developers spoof the original application name and developer name. Therefore, make sure you are downloading only simple applications. Application descriptions often contain typos and grammatical errors. Check the developer’s website for a link on the application’s web page. If something looks weird or weird, don’t use it.
- Reviews and ratings can be fake, but you’re still reading user reviews for your application and the experience of existing users may be helpful. Beware of low-rated reviews.
- Check the number of application downloads — The number of popular application downloads is very high. However, keep in mind that some fake applications have been downloaded thousands or millions of times before they were discovered.
- Avoid downloading applications from third-party app stores or links provided by SMS, email, or WhatsApp messages. Also, avoid installing applications that are downloaded after you click on an ad.
- Secure yourself from Android malware with a trusted antivirus such as Quick Heal Mobile Security.
Google Play store application re-mixed with joker malware
https://blogs.quickheal.com/google-play-store-applications-laced-with-joker-malware-yet-again/ Google Play store application re-mixed with joker malware