A Joker malware performs the malware functionality of a Spyware or a Trojan and signs up a user for a premium subscription and downloads the infection application from the threat actor’s command-and-control server to the unsuspecting user’s device.
Generally, this type of malware is quite undetectable. It works by extracting SMS details and other personal information from the user’s device by displaying ads, that interact with advertisement sites.
Some of the primary information that the malware can steal from the victim’s device are:
- Text messages
- Device information
- Contact details
In addition to stealing sensitive information, the malware is also capable of stealing money stolen from the user’s bank account without his/her consent. This can be attributed to the notification reading capabilities of the malware which gives it access to the SMS details of the user.
Cyble researchers recently discovered a new variant of the Joker Dropper and spyware/trojan variant was accessible from the Google Play Store. Hiding as a legitimate application, it was found that the app is an updated version of Joker that downloads additional malware to the device and subscribes the users to premium services without their knowledge or consent. This is a common functionality of the Joker malware.
We identified this variant in the Google Play Store based on a Twitter post that we came across during our routine threat hunting. Based on our research, we can confirm that the app was present in the Google Play Store till July 05, 2021.

Figure 1 The App Previously Available in Google Play Store
Even though Google promptly removed the application from the Play Store, the app has already had 500+ installs. Though Google removed this malware from its Play Store, attackers keep making slight modifications to the application and payload, thereby enabling the malware to evade Google Play Store’s detection of malicious aps. The changes by the Threat Actor (TA) include applying complex obfuscations in the code, changing execution methods, and using different payload retrieving techniques.

Figure 2 App removed from Google Play Store
The malware developer has adopted the same old technique of Dynamic Code Loading (DCL) and reflection techniques in the new variant to evade detection of its malicious functionality. Among the files dropped by DCL, the Dalvik Executable (DEX) of the Joker malware is an executable file saved in a format containing compiled code written for the Android platform. The Threat Actor (TA) uses these techniques to conceal malicious functionalities and prevents the malware from being detected during the static analysis of the app.
Technical Analysis
We performed the technical analysis of an APK of the Joker malware, with the following hash value: a18508d9047fe87da2bf14211c3f31c5ad48277348eb5011fdfe4dd7dac13d52.
App name: QR Scanner Free
Package name: com.yanto.mo.codescan
Some of the applications’ permissions, activities, and services that may perform malicious activities are listed below:
Permissions:
- android.permission.READ_PHONE_STATE
- android.permission.CAMERA
- android.permission.ACCESS_COARSE_LOCATION
- android.permission.CALL_PHONE
- android.permission.CHANGE_WIFI_STATE
- android.permission.READ_CONTACTS
- android.permission.INTERNET
- android.permission.WRITE_EXTERNAL_STORAGE
Activities:
- qr.barcode.scanner.activity.SplashActivity
- qr.barcode.scanner.activity.MainActivity
- qr.barcode.scanner.activity.ResultActivity
- qr.barcode.scanner.activity.CreateActivity
- qr.barcode.scanner.activity.FeedbackActivity
- qr.barcode.scanner.activity.WebviewActivity
- qr.barcode.scanner.activity.AboutActivity
Services:
- q.b
- com.google.android.gms.ads.AdService
- androidx.work.impl.background.systemalarm.SystemAlarmService
- androidx.work.impl.background.systemjob.SystemJobService
- androidx.room.MultiInstanceInvalidationService
The image below is a representation of the application’s malicious functionality:

The malware initiates malicious behavior from the application subclass, qr.barcode.scanner.ScannerApp. This class is executed first when the user starts the application.

Figure 3 Initiation of malware from the application subclass
This onCreate function further invokes function “a”, which downloads the DEX file from the shortened url mentioned below, as shown in figure 4.
Shortened URL: “hxxps://zws.im/??????????????”
On expanding: “hxxp://onemoretime.oss-us-east-1.aliyuncs[.]com/huadi”

Figure 4 Code that requests file from the URL and checks for established HTTP connection
The application loads the class “XX00” from the downloaded DEX file using dalvik.system.DexClassLoader API and tries to execute the method “jarico” from the dropped file.

Figure 5 Loads the class and method from the dropped file
Below code illustrates the “jarico” function execution after loading the class “XX00”.

Figure 6 Code that performs DCL functionality
Upon execution of the “jarico” function, a new DEX file is loaded, which initiates a connection to a second URL for downloading an additional DEX file. This DEX file “hd.ai” loads the main class “Ferry” and method “Tayle”, as shown in Figure 7.

Figure 7 Code that loads an additional DEX file from the URL
The main class “Ferry” in turn connects to the third URL “hxxp://onemoretime.oss-us-east-1.aliyuncs.com/notice.ai”, which drops the “notice.ai” file by loading main class “com.antume.cantin” and method “button”.

Figure 8 Third DEX file dropped from URL
It was also observed that the same main class “Ferry”, has the capability to read all notifications received by the victim’s device. Using the notification listener service, it reads all the text messages or notifications and cancels them without the user’s knowledge to hide the fact that the notification was even received.

Figure 9 Reads Notification Using Service
Along with broadcastreceiver, the main class “com.antume.cantin” loaded from the dropped DEX file “notice.ai” collects the content of the notifications from the main class “Ferry”.

Figure 10 Collects and Stores SMS data
Our research indicates that the application is using a common encryption technique used in Wireless Application Protocol (WAP) billing service to avoid detection. This technique involves the placement of a set of random characters within words.

Figure 11 Common Pattern observed in encryption
The application has several Wireless Application Protocol (WAP) subscription URL for its billing service. WAP billing is a payment method for purchasing content from sites, with the charges being directly added to the mobile phone bill. Using this billing service, attackers can target countries including the U.S., the U.K., India, Thailand, and Vietnam by enrolling users into unknown subscriptions and charging them on a daily, weekly, or monthly basis, thereby allowing attackers gaining the monetary benefits.
As shown in Figure 12, the application has a Thailand-based WAP subscription url, which is common in this malware variant, and even checks for the carrier code to identify the cellular connectivity of the mobile device.

Figure 12 Carrier code check and Thailand based WAP link
The threat actor hides all the malicious functionality inside the downloaded payload. This technique is common in Joker malware. The malware is constantly evolving and defining new techniques to hide its malicious functionality from detection.
RECOMMENDATIONS:
- Keep your anti-virus software updated to detect and remove malicious software.
- Uninstall the application if you find this malware in your device.
- Keep your system and applications updated to the latest versions.
- Use strong passwords and enable two-factor authentication.
- Download and install software only from trusted sites and official app stores.
- Verify the privileges and permissions requested by apps before granting them access.
- People concerned about the exposure of their stolen credentials in the dark web can register at AmIBreached.com to ascertain their exposure.
MITRE ATT&CK® Techniques- for Mobile
Tactic | Technique ID | Technique Name |
Defense Evasion | T1406 | Obfuscated Files or Information |
Credential Access | T1409 | Access Stored Application Data |
Collection | T1507 T1430 T1409 | Network Information Discovery Location Tracking Access Stored Application Data |
Credential Access | T1409 | Access Stored Application Data |
Discovery | T1421 T1422 T1430 T1426 | System Network Connections Discovery System Network Configuration Discovery System Information Discovery Location Tracking |
Impact | T1472 T1447 | Generate Fraudulent Advertising Revenue Delete Device Data |
Indicators of Compromise (IoCs):
IOCs | IOC type |
a18508d9047fe87da2bf14211c3f31c5ad48277348eb5011fdfe4dd7dac13d52 | SHA256 |
0840f6feef265393c929ac61e0b1b04faa3999e1ae5655fd332ec674be2661a0 | SHA256 |
f772532dc7b83242e54cfec2bf740f12c13b1f2fce9da188da19b6df55da4fab | SHA256 |
3aac23064f58f32f8cd345b9455be3d638f5ae8658bbc6badcedcb111b002572 | SHA256 |
hxxp://onemoretime.oss-us-east-1.aliyuncs.com/notice.ai | Interesting URL |
hxxp://onemoretime.oss-us-east-1.aliyuncs.com/hd.ai | Interesting URL |
hxxp://onemoretime.oss-us-east-1.aliyuncs.com/huadi | Interesting URL |
hxxp://161.117.46.64/svhyqj/mjcxzy | Interesting URL |
hxxp://161.117.46.64/svhyqj/bwytmw | Interesting URL |
161.117.46[.]64 | IP address |
About Cyble
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups to Watch in 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.
Comments are closed.