Cyble Research Labs has come across a new set of Joker variants during our routine Open-Source Intelligence (OSINT) research. These variants of Joker malware have been observed utilizing sophisticated techniques for evading Google’s malware detection engine and spreading via the Play Store. Our analysis indicated that the malware targets Android users from Thailand.
The Joker malware family was first discovered in 2017, primarily compromising Android devices by posing as legitimate utility apps on the Google Play Store. This malware family is predominantly performing billing fraud and stealing SMS and device information. Additionally, it downloads malicious payloads from the Threat Actors’ Command and Control (C&C) server to an unsuspecting victim’s device.
Billing Frauds: Abusing Toll Billing
Cellular carrier providers offer payment endpoints via their websites. The Joker malware accesses these cellular webpages via mobile data and performs unauthorized payment transactions. The malware also steals OTPs used as the second factor of authentication for transactions.
From our previous analysis of this malware family, we have observed that the authors of this malware have created malicious apps posing as common, legitimate applications such as camera, scanner, messenger, and photo editor apps. Recently, we also came across a Joker variant developed leveraging the hype around the popular Netflix web series Squid Game to bait unsuspecting victims.
Last week, we discovered new variants of the Joker family from a Twitter post. Upon analyzing one of the samples, we observed that the malware variant utilizes multiple obfuscation techniques and multi-stage payloads to perform malicious activities. Additionally, the malicious app poses as an official LED flasher app that shows LED notifications on receiving phone calls and SMSs.
Technical Analysis
We collected and analyzed two Joker malware samples. The detailed analysis is covered in this article.
APK Sample’s File info
The file information of the sample APK file is given in the figure below.
- App Name: Apply Flasher
- Package Name: com.Management.app.flash
- SHA256: 06f92aa517a7de880671056fb782e0bdb92a1cc2442fc144e9890162865f00e8
Manifest Information
This Joker variant requests 18 different permissions, out of which the malware abuses three permissions. These dangerous permissions requested by the malicious app are READ_PHONE_STATE, BIND_NOTIFICATION_LISTENER_SERVICE, and CHANGE_WIFI_STATE.
The CHANGE_WIFI_STATE and READ_PHONE_STATE permissions enable cellular data for the carrier billing. Additionally, the malware uses the BIND_NOTIFICATION_LISTENER_SERVICE permission to steal the two-factor authentication received in the device’s notifications that is necessary for completing the carrier billing transactions.
The list of permissions in the APK’s manifest is shown below.
The malware has three entry-point classes declared in the APK’s manifest file. These are:
- com.Management.app.flash.FlashAlertApp: This class is executed initially, when the user starts the app from the device’s home screen, and is generally called the application subclass of the APK.
- com.Management.app.flash.activity.SplashScreen: This class displays the display page for the application and is also called the launcher activity.
- com.Management.app.flash.services.NotificationService: This class is initiated when the infected device receives a notification. This class is commonly called Notification listener service, and the declaration of this class in manifest is shown below.
The APK malware’s behavior can be identified by analyzing the entry-point classes.
Malware Behavior
The malware performs its malicious activity using multi-stage payloads, as shown in the figure below.
Upon analyzing the entry-point classes, we observed that the malware author loads a shared object (.so) file from the application subclass, as shown in Figure 5.
In the .so file, the malware author hides its code for downloading the first stage payload and loads the payload using the DexClassLoader (DCL) API. The image below shows the code used to download the payload.
The TA has used the obfuscation technique to hide the URL for downloading the first payload.
First-stage Payload
The URL to download the first stage payload is hxxps://10-9mopub.oss-ap-southeast-6.aliyuncs[.]com/Theme%20Call%20Screen/app_KSMJAKND22
The download file is an APK file with the SHA256 hash value 5bf57842a1dd3c1bd1bd19d7b6b7ed4480682b975bf2acc1193ed0436ad45452
By using the first stage payload APK file, the malware downloads the second stage payload from the TA’s C&C URL. The code used to download the second stage payload is shown below.
The malware downloads an APK file as the second stage payload and loads the APK using the same DCL API as shown in the figure below.
Additionally, the malware uses this first stage payload code to check whether the device is in Thailand (by checking the SIM information), as shown below.
The payload also contains the code to check whether the app is running on the device or an emulator.
Second-stage Payload
The URL to download the second stage payload is hxxps://10-9mopub.oss-ap-southeast-6.aliyuncs[.]com/Theme%20Call%20Screen/Rich-debug-22.apk
The SHA256 value of the second payload is 9f75255db5acecee498f8468ac3e5277fdc7db952494c348fe6f4e23ba7b7b8d
The second stage payload is also an APK file. It contains the code to collect OTPs using the notification listener service, as shown in figure 10.
The malware also filters out notifications from genuine apps to specifically collect OTP notifications. The same can be observed in the Figure 10.
In addition, the malware uses this payload to download a Java Archive (JAR) file as the third payload and loads as an extension to the main APK file using DCL API. The code used to download the third stage payload is given below.
Third-stage Payload
The third stage payload URL is hxxp://wo0.oss-accelerate[.]aliyuncs.com/adal.jar
The hash of the third stage payload is dd80828efc70d1f89d2fadd70c4707247450723697313b582b5c6d2244f0624c
The TAs hide the billing fraud code inside the third stage payload. The malware variant we analyzed primarily targets users from Thailand. The code used to perform billing frauds for users from Thailand is shown below.
Other recent variants of the Joker malware
Cyble research Labs also encounters another sample from the Joker family which hides its behavior inside an encrypted .so file which is in turn stored in the assets folder. The malicious app decrypts and loads the .so file during execution.
Hash of the APK: d3a4c6a0f9a12ecdded34f026371e5ba9c9d1319bbd77e55b3d51663c6d6ec3d
By utilizing the loaded .so file, the malware downloads its payload from the TA’s C&C URL.
C&C URL used to download the payload: hxxps://q60uwsyk0p.s3.ca-central-1.amazonaws[.]com/jjx3jqalwk
With the help of the downloaded payload, the malware performs similar billing fraud as discussed above.
Conclusion
Authors of malware are constantly introducing new techniques to evade detection, such as using multi-staging payloads for infection.
Joker is a sophisticated malware that has infected multiple victims. This makes it imperative for users to be attentive to notifications that appear while using the application, as they frequently indicate something unexpected or undesirable. So be cautious when using the application on your device.
Our Recommendations
We have listed some of the essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:    
- If you find this malware in your device, uninstall using ADB uninstall or perform a factory reset.
- Download and install software only from official app stores like Google Play Store & Apple App Store
- Ensure that Google Play Protect is enabled on Android devices.
- Be careful while enabling any permissions.
- If you find this malicious application on your device, uninstall, or delete it immediately. 
- Use the shared IoCs to monitor and block the malware infection. 
- Keep your anti-virus software updated to detect and remove malicious software. 
- Keep your devices, operating systems, and applications updated to the latest versions. 
- Use strong passwords and enable two-factor authentication.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Defense Evasion | T1406 | Obfuscated Files or Information |
| Defense Evasion | T1523 | Evade Analysis Environment |
| Credential Access | T1412 | Capture SMS Messages |
| Credential Access | T1409 | Access Stored Application Data |
| Discovery | T1421 | System Network Connections Discovery |
| Discovery | T1016 | System Network Configuration Discovery |
| Discovery | T1424 | Process Discovery |
| Collection | T1507 | Network Information Discovery |
| Collection | T1412 | Capture SMS Messages |
| Command and Control | T1571 | Non-Standard Port |
| Command and Control | T1573 | Encrypted Channel |
| Command and Control | T1219 | Remote Access Software |
| Impact | T1447 | Delete Device Data |
Indicators of Compromise (IOCs)  
| Indicators | Indicator type | Description |
| 06f92aa517a7de880671056fb782e0bdb92a1cc2442fc144e9890162865f00e8 | SHA256 | Hash of the APK sample |
| 5bf57842a1dd3c1bd1bd19d7b6b7ed4480682b975bf2acc1193ed0436ad45452 | SHA256 | Hash of the first payload |
| 9f75255db5acecee498f8468ac3e5277fdc7db952494c348fe6f4e23ba7b7b8d | SHA256 | Hash of the second payload |
| dd80828efc70d1f89d2fadd70c4707247450723697313b582b5c6d2244f0624c | SHA256 | Hash of the third payload |
| hxxps://10-9mopub.oss-ap-southeast-6.aliyuncs[.]com/Theme%20Call%20Screen/app_KSMJAKND22 | URL | URL to download the first payload |
| hxxps://10-9mopub.oss-ap-southeast-6.aliyuncs[.]com/Theme%20Call%20Screen/Rich-debug-22.apk | URL | URL to download the second payload |
| hxxp://wo0.oss-accelerate[.]aliyuncs.com/adal.jar | URL | URL to download third payload |
| d3a4c6a0f9a12ecdded34f026371e5ba9c9d1319bbd77e55b3d51663c6d6ec3d | SHA256 | Hash of another sample (APK2) |
| hxxps://q60uwsyk0p.s3.ca-central-1.amazonaws[.]com/jjx3jqalwk | URL | URL to download the payload for APK2 |
About Us
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups to Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit https://cyble.com.
