Cyble-Android App-Disguised-QR scanner-Spreads Joker Trojan Malware Variant

Android App Disguised as a QR scanner, Spreads Joker Variant Trojan

A Joker malware performs the malware functionality of a Spyware or a Trojan and signs up a user for a premium subscription and downloads the infection application from the threat actor’s command-and-control server to the unsuspecting user’s device. 

Generally, this type of malware is quite undetectable. It works by extracting SMS details and other personal information from the user’s device by displaying ads, that interact with advertisement sites. 

Some of the primary information that the malware can steal from the victim’s device are: 

  • Text messages 
  • Device information 
  • Contact details 

In addition to stealing sensitive information, the malware is also capable of stealing money stolen from the user’s bank account without his/her consent. This can be attributed to the notification reading capabilities of the malware which gives it access to the SMS details of the user.  

Cyble researchers recently discovered a new variant of the Joker Dropper and spyware/trojan variant was accessible from the Google Play Store. Hiding as a legitimate application, it was found that the app is an updated version of Joker that downloads additional malware to the device and subscribes the users to premium services without their knowledge or consent. This is a common functionality of the Joker malware. 

We identified this variant in the Google Play Store based on a Twitter post that we came across during our routine threat hunting. Based on our research, we can confirm that the app was present in the Google Play Store till July 05, 2021.  

Figure 1 The App Previously Available in Google Play Store 

Even though Google promptly removed the application from the Play Store, the app has already had 500+ installs. Though Google removed this malware from its Play Store, attackers keep making slight modifications to the application and payload, thereby enabling the malware to evade Google Play Store’s detection of malicious aps. The changes by the Threat Actor (TA) include applying complex obfuscations in the code, changing execution methods, and using different payload retrieving techniques. 

Figure 2 App removed from Google Play Store 

The malware developer has adopted the same old technique of Dynamic Code Loading (DCL) and reflection techniques in the new variant to evade detection of its malicious functionality. Among the files dropped by DCL, the Dalvik Executable (DEX) of the Joker malware is an executable file saved in a format containing compiled code written for the Android platform. The Threat Actor (TA) uses these techniques to conceal malicious functionalities and prevents the malware from being detected during the static analysis of the app. 

Technical Analysis 

We performed the technical analysis of an APK of the Joker malware, with the following hash value: a18508d9047fe87da2bf14211c3f31c5ad48277348eb5011fdfe4dd7dac13d52. 

App name: QR Scanner Free 

Package name: 

Some of the applications’ permissions, activities, and services that may perform malicious activities are listed below: 


  • android.permission.READ_PHONE_STATE 
  • android.permission.CAMERA 
  • android.permission.ACCESS_COARSE_LOCATION 
  • android.permission.CALL_PHONE 
  • android.permission.CHANGE_WIFI_STATE 
  • android.permission.READ_CONTACTS 
  • android.permission.INTERNET 
  • android.permission.WRITE_EXTERNAL_STORAGE 


  • qr.barcode.scanner.activity.SplashActivity 
  • qr.barcode.scanner.activity.MainActivity 
  • qr.barcode.scanner.activity.ResultActivity 
  • qr.barcode.scanner.activity.CreateActivity 
  • qr.barcode.scanner.activity.FeedbackActivity 
  • qr.barcode.scanner.activity.WebviewActivity 
  • qr.barcode.scanner.activity.AboutActivity 


  • q.b 

The image below is a representation of the application’s malicious functionality: 

The malware initiates malicious behavior from the application subclass, qr.barcode.scanner.ScannerApp. This class is executed first when the user starts the application.  

Figure 3 Initiation of malware from the application subclass 

This onCreate function further invokes function “a”, which downloads the DEX file from the shortened url mentioned below, as shown in figure 4.   

Shortened URL: “hxxps://” 

On expanding: “hxxp://onemoretime.oss-us-east-1.aliyuncs[.]com/huadi

Figure 4 Code that requests file from the URL and checks for established HTTP connection 

The application loads the class “XX00” from the downloaded DEX file using dalvik.system.DexClassLoader API and tries to execute the method “jarico” from the dropped file. 

Figure 5 Loads the class and method from the dropped file 

Below code illustrates the “jarico” function execution after loading the class “XX00”.  

Figure 6 Code that performs DCL functionality 

Upon execution of the “jarico” function, a new DEX file is loaded, which initiates a connection to a second URL for downloading an additional DEX file. This DEX file “” loads the main class “Ferry” and method “Tayle”, as shown in Figure 7. 

Figure 7 Code that loads an additional DEX file from the URL 

The main class “Ferry” in turn connects to the third URL “hxxp://”, which drops the “” file by loading main class “com.antume.cantin” and method “button”. 

Figure 8 Third DEX file dropped from URL 

It was also observed that the same main class “Ferry”, has the capability to read all notifications received by the victim’s device. Using the notification listener service, it reads all the text messages or notifications and cancels them without the user’s knowledge to hide the fact that the notification was even received. 

Figure 9 Reads Notification Using Service 

Along with broadcastreceiver, the main class “com.antume.cantin” loaded from the dropped DEX file “” collects the content of the notifications from the main class “Ferry”.  

Figure 10 Collects and Stores SMS data 

Our research indicates that the application is using a common encryption technique used in Wireless Application Protocol (WAP) billing service to avoid detection. This technique involves the placement of a set of random characters within words. 

Figure 11 Common Pattern observed in encryption 

The application has several Wireless Application Protocol (WAP) subscription URL for its billing service. WAP billing is a payment method for purchasing content from sites, with the charges being directly added to the mobile phone bill. Using this billing service, attackers can target countries including the U.S., the U.K., India, Thailand, and Vietnam by enrolling users into unknown subscriptions and charging them on a daily, weekly, or monthly basis, thereby allowing attackers gaining the monetary benefits. 

As shown in Figure 12, the application has a Thailand-based WAP subscription url, which is common in this malware variant, and even checks for the carrier code to identify the cellular connectivity of the mobile device. 

Figure 12 Carrier code check and Thailand based WAP link 

The threat actor hides all the malicious functionality inside the downloaded payload. This technique is common in Joker malware. The malware is constantly evolving and defining new techniques to hide its malicious functionality from detection.  


  • Keep your anti-virus software updated to detect and remove malicious software. 
  • Uninstall the application if you find this malware in your device. 
  • Keep your system and applications updated to the latest versions. 
  • Use strong passwords and enable two-factor authentication. 
  • Download and install software only from trusted sites and official app stores. 
  • Verify the privileges and permissions requested by apps before granting them access. 
  • People concerned about the exposure of their stolen credentials in the dark web can register at to ascertain their exposure. 

MITRE ATT&CK® Techniques- for Mobile 

Tactic Technique ID Technique Name 
Defense Evasion T1406Obfuscated Files or Information 
Credential Access T1409 Access Stored Application Data 
Collection T1507 
Network Information Discovery 
Location Tracking 
Access Stored Application Data 
Credential Access T1409 Access Stored Application Data 
Discovery T1421
System Network Connections Discovery 
System Network Configuration Discovery 
System Information Discovery
Location Tracking 
Impact T1472 
Generate Fraudulent Advertising Revenue
Delete Device Data 

Indicators of Compromise (IoCs): 

IOCs IOC type 
a18508d9047fe87da2bf14211c3f31c5ad48277348eb5011fdfe4dd7dac13d52 SHA256   
0840f6feef265393c929ac61e0b1b04faa3999e1ae5655fd332ec674be2661a0 SHA256   
f772532dc7b83242e54cfec2bf740f12c13b1f2fce9da188da19b6df55da4fab SHA256 
3aac23064f58f32f8cd345b9455be3d638f5ae8658bbc6badcedcb111b002572 SHA256 
hxxp:// Interesting URL 
hxxp:// Interesting URL 
hxxp:// Interesting URL 
hxxp:// Interesting URL 
hxxp:// Interesting URL 
161.117.46[.]64 IP address 

About Cyble 

Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups to Watch in 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit

Comments are closed.

Scroll to Top