New Joker Variant Utilizes Multi-Stage Payloads Technique

Cyble Research Labs has come across a new set of Joker variants during our routine Open-Source Intelligence (OSINT) research. These variants of Joker malware have been observed utilizing sophisticated techniques for evading Google’s malware detection engine and spreading via the Play Store. Our analysis indicated that the malware targets Android users from Thailand. 

The Joker malware family was first discovered in 2017, primarily compromising Android devices by posing as legitimate utility apps on the Google Play Store. This malware family is predominantly performing billing fraud and stealing SMS and device information. Additionally, it downloads malicious payloads from the Threat Actors’ Command and Control (C&C) server to an unsuspecting victim’s device.  

Billing Frauds: Abusing Toll Billing 

Cellular carrier providers offer payment endpoints via their websites. The Joker malware accesses these cellular webpages via mobile data and performs unauthorized payment transactions. The malware also steals OTPs used as the second factor of authentication for transactions. 

From our previous analysis of this malware family, we have observed that the authors of this malware have created malicious apps posing as common, legitimate applications such as camera, scanner, messenger, and photo editor apps. Recently, we also came across a Joker variant developed leveraging the hype around the popular Netflix web series Squid Game to bait unsuspecting victims.  

Last week, we discovered new variants of the Joker family from a Twitter post. Upon analyzing one of the samples, we observed that the malware variant utilizes multiple obfuscation techniques and multi-stage payloads to perform malicious activities. Additionally, the malicious app poses as an official LED flasher app that shows LED notifications on receiving phone calls and SMSs.  

Technical Analysis 

We collected and analyzed two Joker malware samples. The detailed analysis is covered in this article.  

APK Sample’s File info 

The file information of the sample APK file is given in the figure below. 

Figure 1: APK File Info 
  • App Name: Apply Flasher 
  • Package Name: 
  • SHA256: 06f92aa517a7de880671056fb782e0bdb92a1cc2442fc144e9890162865f00e8 

Manifest Information 

This Joker variant requests 18 different permissions, out of which the malware abuses three permissions. These dangerous permissions requested by the malicious app are READ_PHONE_STATE, BIND_NOTIFICATION_LISTENER_SERVICE, and CHANGE_WIFI_STATE. 

The CHANGE_WIFI_STATE and READ_PHONE_STATE permissions enable cellular data for the carrier billing. Additionally, the malware uses the BIND_NOTIFICATION_LISTENER_SERVICE permission to steal the two-factor authentication received in the device’s notifications that is necessary for completing the carrier billing transactions. 

The list of permissions in the APK’s manifest is shown below. 

Figure 2: Permissions declared in the manifest 

The malware has three entry-point classes declared in the APK’s manifest file. These are: 

  • This class is executed initially, when the user starts the app from the device’s home screen, and is generally called the application subclass of the APK. 
  • This class displays the display page for the application and is also called the launcher activity. 
  • This class is initiated when the infected device receives a notification. This class is commonly called Notification listener service, and the declaration of this class in manifest is shown below. 
Figure 3: Notification listener service declared in the APK’s manifest file 

The APK malware’s behavior can be identified by analyzing the entry-point classes.    

Malware Behavior 

The malware performs its malicious activity using multi-stage payloads, as shown in the figure below. 

Figure 4: Stages of malware behavior 

Upon analyzing the entry-point classes, we observed that the malware author loads a shared object (.so) file from the application subclass, as shown in Figure 5.  

Figure 5: Code to load so file from application subclass 

In the .so file, the malware author hides its code for downloading the first stage payload and loads the payload using the DexClassLoader (DCL) API. The image below shows the code used to download the payload. 

Figure 6: Code to download the first stage payload 

The TA has used the obfuscation technique to hide the URL for downloading the first payload. 

First-stage Payload 

The URL to download the first stage payload is hxxps://10-9mopub.oss-ap-southeast-6.aliyuncs[.]com/Theme%20Call%20Screen/app_KSMJAKND22 

The download file is an APK file with the SHA256 hash value 5bf57842a1dd3c1bd1bd19d7b6b7ed4480682b975bf2acc1193ed0436ad45452 

By using the first stage payload APK file, the malware downloads the second stage payload from the TA’s C&C URL. The code used to download the second stage payload is shown below. 

Figure 7: Code to download the second stage payload 

The malware downloads an APK file as the second stage payload and loads the APK using the same DCL API as shown in the figure below. 

Figure 8: Code to load second stage payload using DCL API 

Additionally, the malware uses this first stage payload code to check whether the device is in Thailand (by checking the SIM information), as shown below. 

Figure 9: Code to check for the SIM ISO 

The payload also contains the code to check whether the app is running on the device or an emulator. 

Second-stage Payload 

The URL to download the second stage payload is hxxps://10-9mopub.oss-ap-southeast-6.aliyuncs[.]com/Theme%20Call%20Screen/Rich-debug-22.apk 

The SHA256 value of the second payload is 9f75255db5acecee498f8468ac3e5277fdc7db952494c348fe6f4e23ba7b7b8d 

The second stage payload is also an APK file. It contains the code to collect OTPs using the notification listener service, as shown in figure 10. 

Figure 10: Code to steal OTPs 

The malware also filters out notifications from genuine apps to specifically collect OTP notifications. The same can be observed in the Figure 10. 

In addition, the malware uses this payload to download a Java Archive (JAR) file as the third payload and loads as an extension to the main APK file using DCL API. The code used to download the third stage payload is given below. 

Figure 11: Code to download third stage payload 

Third-stage Payload 

The third stage payload URL is hxxp://wo0.oss-accelerate[.] 

The hash of the third stage payload is dd80828efc70d1f89d2fadd70c4707247450723697313b582b5c6d2244f0624c 

The TAs hide the billing fraud code inside the third stage payload. The malware variant we analyzed primarily targets users from Thailand. The code used to perform billing frauds for users from Thailand is shown below. 

Figure 12: Code to perform billing fraud 

Other recent variants of the Joker malware 

Cyble research Labs also encounters another sample from the Joker family which hides its behavior inside an encrypted .so file which is in turn stored in the assets folder. The malicious app decrypts and loads the .so file during execution.  

Hash of the APK: d3a4c6a0f9a12ecdded34f026371e5ba9c9d1319bbd77e55b3d51663c6d6ec3d 

By utilizing the loaded .so file, the malware downloads its payload from the TA’s C&C URL. 

C&C URL used to download the payload: hxxps://[.]com/jjx3jqalwk 

With the help of the downloaded payload, the malware performs similar billing fraud as discussed above. 


Authors of malware are constantly introducing new techniques to evade detection, such as using multi-staging payloads for infection.  

Joker is a sophisticated malware that has infected multiple victims. This makes it imperative for users to be attentive to notifications that appear while using the application, as they frequently indicate something unexpected or undesirable. So be cautious when using the application on your device. 

Our Recommendations 

We have listed some of the essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:     

  1. If you find this malware in your device, uninstall using ADB uninstall or perform a factory reset. 
  1. Download and install software only from official app stores like Google Play Store & Apple App Store 
  1. Ensure that Google Play Protect is enabled on Android devices. 
  1. Be careful while enabling any permissions. 
  1. If you find this malicious application on your device, uninstall, or delete it immediately.  
  1. Use the shared IoCs to monitor and block the malware infection.  
  1. Keep your anti-virus software updated to detect and remove malicious software.  
  1. Keep your devices, operating systems, and applications updated to the latest versions.  
  1. Use strong passwords and enable two-factor authentication. 

MITRE ATT&CK® Techniques 

Tactic  Technique ID  Technique Name 
Defense Evasion T1406 Obfuscated Files or Information 
Defense Evasion T1523 Evade Analysis Environment 
Credential Access T1412 Capture SMS Messages 
Credential Access T1409 Access Stored Application Data 
Discovery T1421  System Network Connections Discovery 
Discovery T1016 System Network Configuration Discovery 
Discovery T1424 Process Discovery 
Collection T1507 Network Information Discovery 
Collection T1412 Capture SMS Messages 
Command and Control T1571 Non-Standard Port 
Command and Control T1573 Encrypted Channel 
Command and Control T1219 Remote Access Software 
Impact T1447 Delete Device Data 

Indicators of Compromise (IOCs)   

Indicators Indicator type Description 
06f92aa517a7de880671056fb782e0bdb92a1cc2442fc144e9890162865f00e8 SHA256 Hash of the APK sample 
5bf57842a1dd3c1bd1bd19d7b6b7ed4480682b975bf2acc1193ed0436ad45452 SHA256 Hash of the first payload 
9f75255db5acecee498f8468ac3e5277fdc7db952494c348fe6f4e23ba7b7b8d SHA256 Hash of the second payload 
dd80828efc70d1f89d2fadd70c4707247450723697313b582b5c6d2244f0624c SHA256 Hash of the third payload 
hxxps://10-9mopub.oss-ap-southeast-6.aliyuncs[.]com/Theme%20Call%20Screen/app_KSMJAKND22 URL URL to download the first payload
hxxps://10-9mopub.oss-ap-southeast-6.aliyuncs[.]com/Theme%20Call%20Screen/Rich-debug-22.apk URL URL to download the second payload 
hxxp://wo0.oss-accelerate[.] URL URL to download third payload 
d3a4c6a0f9a12ecdded34f026371e5ba9c9d1319bbd77e55b3d51663c6d6ec3d SHA256 Hash of another sample (APK2) 
hxxps://[.]com/jjx3jqalwk URL URL to download the payload for APK2 

About Us 

Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups to Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit

Comments are closed.

Scroll to Top