Table of Contents

Joker Malware Is Back – Here’s What You Need to Know To Stay Protected
Android Threats / Malware / Security /

Joker Malware Is Back – Here’s What You Need to Know To Stay Protected

Joker Trojan malware the nightmare for Google is back!

The unfunny Joker is back. Here, we are not referring to the Joker that brings a smile to your face. Instead, we are talking about the nasty malware that steals your information. And this time, (according to Quick Heal Security Labs) it has infected eight new apps on Google Play Store.  Spotted somewhere around 2017, Joker malware has been found infecting as many as 40 Android apps.

But what is Joker malware and how does it work? Is there a way to stay protected? To learn more about it read further.

What Is Joker Malware?

Spotted in Google Play Store apps for the past three years, Joker belongs to one of the well-known malware families that target Android devices. It’s not that Google is unaware of this malware, or is not taking any actions. Yet the malware is smart enough to make its way into Google’s official application market. To infect applications, the Trojan malware changes its code, execution methods, or payload-retrieving techniques.

The main purpose of this spyware is to silently sign up victims for premium wireless application protocol (WAP) services, steal contact lists, SMS messages, and device information.

How Does Joker Malware Work?

To steal information, infect the device, and make people subscribe to premium subscriptions without knowledge and consent, Joker Malware gets into the device via different applications and then silently performs all the tasks. Most importantly, the Trojan interacts with advertisement websites in the background and subscribes the victim to premium services.

When these infected applications are launched permission for notification access is asked, this helps get notification and SMS data via the notification. Afterward, Joker Malware asks for Contacts access followed by phone call management permission. Once all the requested permissions are granted, the Trojan malware continues to work in the background without showing any signs of malicious activity to the user.

Also Read: What is FileRepMalware? How Can You Get Rid of It?

What Makes Joker So Dangerous?

Like the Joker in the Batman series, this Joker is also creepy and dangerous.

Joker malware

As the infected application is used by the victim, the Joker malware starts spying on the phone, steals information, and sends it to the hackers remotely. Joker also copies SMS text messages, contact lists and shares confidential private information which is then used to carry out identity theft, fraud, and other hacking activities.

The most alarming thing about Joker is that it is capable of automatically enrolling infected devices for premium wireless application protocol (WAP) services. This can cost a lot to the users per month.

Why is Joker Malware making the news headlines?

Lately, according to a new report from Quick Heal the spyware is found to be infecting eight new Android Apps.

Following is the list of infected apps:

  1. Auxiliary Message
  2. Fast Magic SMS
  3. Free CamScanner
  4. Super Message
  5. Element Scanner
  6. Go Messages
  7. Travel Wallpapers
  8. Super SMS

In case you have downloaded and are using any of these apps, uninstalling them is suggested as your device and privacy might be at risk.

In addition to this, other apps that were found to be infected are:

  • All Good PDF Scanner
  • Mint Leaf Message-Your Private Message
  • Unique Keyboard – Fancy Fonts & Free Emoticons
  • Tangram App Lock
  • Direct Messenger
  • Private SMS
  • One Sentence Translator – Multifunctional Translator
  • Style Photo Collage
  • Meticulous Scanner
  • Desire Translate
  • Talent Photo Editor – Blur focus
  • Care Message
  • Part Message
  • Paper Doc Scanner
  • Blue Scanner
  • Hummingbird PDF Converter – Photo to PDF
  • Powerful Cleaner

(At the time of writing, all of these apps have been removed from the Google Play store.)

Symptoms – Joker Malware

  • The device slows down more than normal.
  • System settings are altered without users’ permission.
  • Different unknown applications appear on your Android device.
  • Data and battery usage significantly increase.
  • Browsers redirect you to rogue websites.
  • See several intrusive advertisements that were not there earlier.

Damage caused by Joker Malware

  • Steals personal information via SMS
  • Decreased phone performance
  • Battery drains quicker than usual
  • A noticeable decrease in internet speed
  • Significant data & monetary losses

Tactics used by the Joker malware author to bypass the Google Play security

Direct download

The final payload is delivered via a direct URL received from the command and control (C&C) server. In this variant, the infected Google Play store app has the C&C address hidden in the code itself with string obfuscation.

One-stage download

The infected Google Play store app has the stager payload URL encoded in the code itself encrypted using Advanced Encryption Standard (AES).

Two-stage download

The Google Play infected app downloads the stage one payload, which downloads the stage two payload, which finally loads the end Joker payload.

IOCs

Infected Apps on GooglePlay:

MD5s Package Name
2086f0d40e611c25357e8906ebb10cd1 com.carefrendly.message.chat
b8dea8e30c9f8dc5d81a5c205ef6547b com.docscannercamscanpaper
5a5756e394d751fae29fada67d498db3 com.focusphoto.talent.editor
8dca20f649f4326fb4449e99f7823a85 com.language.translate.desire.voicetranlate
6c34f9d6264e4c3ec2ef846d0badc9bd com.nightsapp.translate.sentence
04b22ab4921d01199c9a578d723dc6d6 com.password.quickly.applock
b488c44a30878b10f78d674fc98714b0 com.styles.simple.photocollage.photos
a6c412c2e266039f2d4a8096b7013f77 com.unique.input.style.my.keyboard
4c5461634ee23a4ca4884fc9f9ddb348 dirsms.welcome.android.dir.messenger
e4065f0f5e3a1be6a56140ed6ef73df7 pdf.converter.image.scanner.files
bfd2708725bd22ca748140961b5bfa2a message.standardsms.partmessenger
164322de2c46d4244341e250a3d44165 mintleaf.message.messenger.tosms.ml
88ed9afb4e532601729aab511c474e9a omg.documents.blue.pdfscanner
27e01dd651cf6d3362e28b7628fe65a4 pdf.maker.scan.image.phone.scanner
e7b8f388051a0172846d3b3f7a3abd64 prisms.texting.messenger.coolsms
0ab0eca13d1c17e045a649be27927864 com.gooders.pdfscanner.gp
bfbe04fd0dd4fa593bc3df65a831c1be com.powerful.phone.android.cleaner

URLs of payload distribution

blackdragon[.]oss-ap-southeast-5[.]aliyuncs[.]com/privateSMS_ba[.]htm

blackdragon03[.]oss-ap-southeast-5[.]aliyuncs[.]com/partMessage_base[.]css

blackdragon03[.]oss-ap-southeast-5[.]aliyuncs[.]com/partMessage_config[.]json

nineth03[.]oss-ap-southeast-5[.]aliyuncs[.]com/MeticulousScanner_bs[.]mp3

sahar[.]oss-us-east-1[.]aliyuncs[.]com/care[.]asf

sahar[.]oss-us-east-1[.]aliyuncs[.]com/onesentence[.]asf

sahar[.]oss-us-east-1[.]aliyuncs[.]com/onesentence2[.]asf

sahar[.]oss-us-east-1[.]aliyuncs[.]com/saiks[.]asf

sahar[.]oss-us-east-1[.]aliyuncs[.]com/tangram[.]asf

sahar[.]oss-us-east-1[.]aliyuncs[.]com/tangram2[.]asf

sahar[.]oss-us-east-1[.]aliyuncs[.]com/twinkle[.]asf

2j1i9uqw[.]oss-eu-central-1[.]aliyuncs[.]com/328718737/armeabi-v7a/ihuq[.]sky

blackdragon[.]oss-ap-southeast-5[.]aliyuncs[.]com/blackdragon[.]html

blackdragon[.]oss-ap-southeast-5[.]aliyuncs[.]com/privateSMS[.]json

fgcxweasqw[.]oss-eu-central-1[.]aliyuncs[.]com/fdcxqewsswq/dir[.]png

jk8681oy[.]oss-eu-central-1[.]aliyuncs[.]com/fsaxaweqwa/amly[.]art

n47n[.]oss-ap-southeast-5[.]aliyuncs[.]com/H20PDF29[.]txt

n47n[.]oss-ap-southeast-5[.]aliyuncs[.]com/font106[.]ttf

nineth03[.]oss-ap-southeast-5[.]aliyuncs[.]com/blackdragon[.]html

proxy48[.]oss-eu-central-1[.]aliyuncs[.]com/m94[.]dir

proxy48[.]oss-eu-central-1[.]aliyuncs[.]com/response[.]js

laodaoo[.]oss-ap-southeast-5.aliyuncs[.]com/allgood2[.]webp

laodaoo[.]oss-ap-southeast-5[.]aliyuncs[.]com/flower[.]webp

rinimae[.]oss-ap-southeast-5[.]aliyuncs.com/powerful[.]mov

rinimae[.]oss-ap-southeast-5[.]aliyuncs.com/powerful2[.]mov

rinimae[.]oss-ap-southeast-5[.]aliyuncs.com//intro[.]mov

Final C&C:

161[.]117[.]229[.]58

161[.]117[.]83[.]26

47[.]74[.]179[.]177

Source: https://www.zscaler.com/blogs/security-research/joker-playing-hide-and-seek-google-play

How to Stay Safe?

  • If you have any of the above installed on your phone, we suggest uninstalling them.
  • When installing scanner, wallpaper, message applications make sure they are from a trusted source. As these are the types of applications targeted by Joker Malware.
  • Install an antimalware application on your phone and make sure you scan your smartphone regularly. You can try using Systweak Anti Malware for this purpose.
  • Pay attention to what permissions you grant. If you think they are not important for the functioning of the application, avoid granting them. Always ask questions like Does this app need these permissions? How granting these permissions will help?
  • When you plan to use an SMS messaging app, ask do you use the app? If yes, try using Telegram, and other end-to-end encrypted apps as they are reliable and safe to use.
  • Read the alerts as they reveal a lot of information. If you are unsure about any permission uninstall the app entirely.

Also Read: One Stop Solution To Protect Your Android Device

Joker Malware – Stay Safe and Protected

Designed to infect Android apps, Joker Malware is intelligent and it makes sure that Google fails to detect it. This is why even when Google knows about it and keeps removing the infected apps it reappears with new techniques and infects more apps. The only way to stay protected is to be attentive and cautious.

Using an antivirus app like Systweak Anti Malware will surely add an extra layer of security, yet you need to be careful with the permissions you grant.

Joker Malware is clever and it has infected thousands of victims. However, by following the tips as explained you can stay protected.

We hope you will follow them and will try not to get into the clutches of this dreadful malware. If you find the information helpful, do share it with others. In case you have anything to add up do share your suggestions in the comments box.

Releted Topics

Leave a Reply

Your email address will not be published. Required fields are marked *