The unfunny Joker is back. Here, we are not referring to the Joker that brings a smile to your face. Instead, we are talking about the nasty malware that steals your information. And this time, (according to Quick Heal Security Labs) it has infected eight new apps on Google Play Store. Spotted somewhere around 2017, Joker malware has been found infecting as many as 40 Android apps.
But what is Joker malware and how does it work? Is there a way to stay protected? To learn more about it read further.
What Is Joker Malware?
Spotted in Google Play Store apps for the past three years, Joker belongs to one of the well-known malware families that target Android devices. It’s not that Google is unaware of this malware, or is not taking any actions. Yet the malware is smart enough to make its way into Google’s official application market. To infect applications, the Trojan malware changes its code, execution methods, or payload-retrieving techniques.
The main purpose of this spyware is to silently sign up victims for premium wireless application protocol (WAP) services, steal contact lists, SMS messages, and device information.
How Does Joker Malware Work?
To steal information, infect the device, and make people subscribe to premium subscriptions without knowledge and consent, Joker Malware gets into the device via different applications and then silently performs all the tasks. Most importantly, the Trojan interacts with advertisement websites in the background and subscribes the victim to premium services.
When these infected applications are launched permission for notification access is asked, this helps get notification and SMS data via the notification. Afterward, Joker Malware asks for Contacts access followed by phone call management permission. Once all the requested permissions are granted, the Trojan malware continues to work in the background without showing any signs of malicious activity to the user.
Also Read: What is FileRepMalware? How Can You Get Rid of It?
What Makes Joker So Dangerous?
Like the Joker in the Batman series, this Joker is also creepy and dangerous.
As the infected application is used by the victim, the Joker malware starts spying on the phone, steals information, and sends it to the hackers remotely. Joker also copies SMS text messages, contact lists and shares confidential private information which is then used to carry out identity theft, fraud, and other hacking activities.
The most alarming thing about Joker is that it is capable of automatically enrolling infected devices for premium wireless application protocol (WAP) services. This can cost a lot to the users per month.
Why is Joker Malware making the news headlines?
Lately, according to a new report from Quick Heal the spyware is found to be infecting eight new Android Apps.
Following is the list of infected apps:
- Auxiliary Message
- Fast Magic SMS
- Free CamScanner
- Super Message
- Element Scanner
- Go Messages
- Travel Wallpapers
- Super SMS
In case you have downloaded and are using any of these apps, uninstalling them is suggested as your device and privacy might be at risk.
In addition to this, other apps that were found to be infected are:
- All Good PDF Scanner
- Mint Leaf Message-Your Private Message
- Unique Keyboard – Fancy Fonts & Free Emoticons
- Tangram App Lock
- Direct Messenger
- Private SMS
- One Sentence Translator – Multifunctional Translator
- Style Photo Collage
- Meticulous Scanner
- Desire Translate
- Talent Photo Editor – Blur focus
- Care Message
- Part Message
- Paper Doc Scanner
- Blue Scanner
- Hummingbird PDF Converter – Photo to PDF
- Powerful Cleaner
(At the time of writing, all of these apps have been removed from the Google Play store.)
Symptoms – Joker Malware
- The device slows down more than normal.
- System settings are altered without users’ permission.
- Different unknown applications appear on your Android device.
- Data and battery usage significantly increase.
- Browsers redirect you to rogue websites.
- See several intrusive advertisements that were not there earlier.
Damage caused by Joker Malware
- Steals personal information via SMS
- Decreased phone performance
- Battery drains quicker than usual
- A noticeable decrease in internet speed
- Significant data & monetary losses
Tactics used by the Joker malware author to bypass the Google Play security
Direct download
The final payload is delivered via a direct URL received from the command and control (C&C) server. In this variant, the infected Google Play store app has the C&C address hidden in the code itself with string obfuscation.
One-stage download
The infected Google Play store app has the stager payload URL encoded in the code itself encrypted using Advanced Encryption Standard (AES).
Two-stage download
The Google Play infected app downloads the stage one payload, which downloads the stage two payload, which finally loads the end Joker payload.
IOCs
Infected Apps on GooglePlay:
| MD5s | Package Name |
|---|---|
| 2086f0d40e611c25357e8906ebb10cd1 | com.carefrendly.message.chat |
| b8dea8e30c9f8dc5d81a5c205ef6547b | com.docscannercamscanpaper |
| 5a5756e394d751fae29fada67d498db3 | com.focusphoto.talent.editor |
| 8dca20f649f4326fb4449e99f7823a85 | com.language.translate.desire.voicetranlate |
| 6c34f9d6264e4c3ec2ef846d0badc9bd | com.nightsapp.translate.sentence |
| 04b22ab4921d01199c9a578d723dc6d6 | com.password.quickly.applock |
| b488c44a30878b10f78d674fc98714b0 | com.styles.simple.photocollage.photos |
| a6c412c2e266039f2d4a8096b7013f77 | com.unique.input.style.my.keyboard |
| 4c5461634ee23a4ca4884fc9f9ddb348 | dirsms.welcome.android.dir.messenger |
| e4065f0f5e3a1be6a56140ed6ef73df7 | pdf.converter.image.scanner.files |
| bfd2708725bd22ca748140961b5bfa2a | message.standardsms.partmessenger |
| 164322de2c46d4244341e250a3d44165 | mintleaf.message.messenger.tosms.ml |
| 88ed9afb4e532601729aab511c474e9a | omg.documents.blue.pdfscanner |
| 27e01dd651cf6d3362e28b7628fe65a4 | pdf.maker.scan.image.phone.scanner |
| e7b8f388051a0172846d3b3f7a3abd64 | prisms.texting.messenger.coolsms |
| 0ab0eca13d1c17e045a649be27927864 | com.gooders.pdfscanner.gp |
| bfbe04fd0dd4fa593bc3df65a831c1be | com.powerful.phone.android.cleaner |
URLs of payload distribution
blackdragon[.]oss-ap-southeast-5[.]aliyuncs[.]com/privateSMS_ba[.]htm
blackdragon03[.]oss-ap-southeast-5[.]aliyuncs[.]com/partMessage_base[.]css
blackdragon03[.]oss-ap-southeast-5[.]aliyuncs[.]com/partMessage_config[.]json
nineth03[.]oss-ap-southeast-5[.]aliyuncs[.]com/MeticulousScanner_bs[.]mp3
sahar[.]oss-us-east-1[.]aliyuncs[.]com/care[.]asf
sahar[.]oss-us-east-1[.]aliyuncs[.]com/onesentence[.]asf
sahar[.]oss-us-east-1[.]aliyuncs[.]com/onesentence2[.]asf
sahar[.]oss-us-east-1[.]aliyuncs[.]com/saiks[.]asf
sahar[.]oss-us-east-1[.]aliyuncs[.]com/tangram[.]asf
sahar[.]oss-us-east-1[.]aliyuncs[.]com/tangram2[.]asf
sahar[.]oss-us-east-1[.]aliyuncs[.]com/twinkle[.]asf
2j1i9uqw[.]oss-eu-central-1[.]aliyuncs[.]com/328718737/armeabi-v7a/ihuq[.]sky
blackdragon[.]oss-ap-southeast-5[.]aliyuncs[.]com/blackdragon[.]html
blackdragon[.]oss-ap-southeast-5[.]aliyuncs[.]com/privateSMS[.]json
fgcxweasqw[.]oss-eu-central-1[.]aliyuncs[.]com/fdcxqewsswq/dir[.]png
jk8681oy[.]oss-eu-central-1[.]aliyuncs[.]com/fsaxaweqwa/amly[.]art
n47n[.]oss-ap-southeast-5[.]aliyuncs[.]com/H20PDF29[.]txt
n47n[.]oss-ap-southeast-5[.]aliyuncs[.]com/font106[.]ttf
nineth03[.]oss-ap-southeast-5[.]aliyuncs[.]com/blackdragon[.]html
proxy48[.]oss-eu-central-1[.]aliyuncs[.]com/m94[.]dir
proxy48[.]oss-eu-central-1[.]aliyuncs[.]com/response[.]js
laodaoo[.]oss-ap-southeast-5.aliyuncs[.]com/allgood2[.]webp
laodaoo[.]oss-ap-southeast-5[.]aliyuncs[.]com/flower[.]webp
rinimae[.]oss-ap-southeast-5[.]aliyuncs.com/powerful[.]mov
rinimae[.]oss-ap-southeast-5[.]aliyuncs.com/powerful2[.]mov
rinimae[.]oss-ap-southeast-5[.]aliyuncs.com//intro[.]mov
Final C&C:
161[.]117[.]229[.]58
161[.]117[.]83[.]26
47[.]74[.]179[.]177
Source: https://www.zscaler.com/blogs/security-research/joker-playing-hide-and-seek-google-play
How to Stay Safe?
- If you have any of the above installed on your phone, we suggest uninstalling them.
- When installing scanner, wallpaper, and message applications make sure they are from a trusted source. As these are the types of applications targeted by Joker Malware.
- Install a solid mobile security application on your phone and regularly scan your device for potential threats. You can try using Smart Phone Cleaner for this purpose, which comes with real-time protection to ensure no existing or new vulnerabilities can harm your device. It even comes with a robust set of cleaning and optimization modules that keeps your smartphone in good shape and maximize overall speed.
Joker Malware – Stay Safe and Protected
Designed to infect Android apps, Joker Malware is intelligent and it makes sure that Google fails to detect it. This is why even when Google knows about it and keeps removing the infected apps it reappears with new techniques and infects more apps. The only way to stay protected is to be attentive and cautious.
Using a powerful security solution like Smart Phone Cleaner will surely add an extra layer of security, all thanks to its Malware Protection module and it also helps you to be careful with the permissions you grant to each installed app on your device. Besides this, it even has an inbuilt Browser that helps you surf the web with complete privacy and security. Make sure you enable Real-time protection and set the Scheduler for top-notch security from common Android threats and vulnerabilities.
(Watch this short video to know about Smart Phone Cleaner in brief!)
Joker Malware is clever and it has infected thousands of victims. However, by following the tips as explained you can stay protected.
We hope you will follow them and will try not to get into the clutches of this dreadful malware. If you find the information helpful, do share it with others. In case you have anything to add up do share your suggestions in the comments box.