Joker Android Trojan is Up to its Old Tricks Again

8820300897?profile=RESIZE_400xTen variants of the Joker Android Trojan managed to slip into the Huawei AppGallery app store and were downloaded by more than 538,000 users, according to new data from Russian anti-malware vendor Doctor Web.  Also known as Bread, the Joker Trojan was first observed in 2017 when it was originally focused on SMS fraud.  Joker is a malware Trojan that targets Android users. It was packaged in at least two dozen applications that were downloaded from Google Play store over 400,000 times. The main purpose of Joker is to generate revenue for the cyber criminals responsible through fraudulent advertising activities. During 2020, the malware was observed performing billing fraud, with thousands of infected applications identified and removed by Google.

This family of Potentially Harmful Applications (PHAs), which is known for subscribing users to premium mobile services, has previously targeted Android users through Google Play, but it appears that that malware’s operators have shifted attention to additional app stores.  Joker attempts to remain silent and undetected on infected devices by making use of as little JavaScript code as possible and locking down its code through obfuscation techniques. In many cases, the malware has been integrated within advertising frameworks linked to its malicious apps.

With Huawei currently being the fourth smartphone maker in terms of market share, at roughly 9 percent, it is no surprise that the cybercriminals behind the Joker have chosen AppGallery to distribute their malware.  Disguised as harmless applications, the Trojan’s modifications would work as expected when launched, thus avoiding rising suspicion. Observed apps include “virtual keyboards, a camera app, a launcher, an online messenger, a sticker collection, coloring programs, and a game,” the company said.

The Trojan’s variations feature multiple components capable of executing a variety of tasks. While only basic Trojan modules that feature minimal functionality are installed through the initial executable, additional components are downloaded from the Internet, to expand the threat’s functionality.  While the user is delivered a full-fledged app, in the background the Trojan connects to the command and control (C&C) server to fetch the necessary configuration and components.  The malware automatically subscribes the user to premium mobile services, while the permissions that the decoy application asks for allow it to intercept incoming SMS messages containing the necessary subscription codes.

The apps set a limit on the number of premium services that can be successfully activated for each user. Subscriptions are successful only if the infected device is connected to the Internet through a mobile network. Thus, the Trojan attempts to terminate active Wi-Fi connections.

Doctor Web’s security researchers also warn that the Trojan also sends the contents of all notifications about incoming SMS messages to the C&C server, which could lead to data leaks.  After being alerted to the identified malicious apps, Huawei took a series of measures to prevent further downloads. 

Red Sky Alliance has been has analyzing and documenting cyber threats and groups for over 9 years and maintains a resource library of malware and cyber actor reports available at https://redskyalliance.org at no charge. Many past tactics are reused in current malicious campaigns.


Red Sky Alliance is a Cyber  Threat  Analysis  and  Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com 

Weekly Cyber Intelligence Briefings:


Weekly Cyber Intelligence Briefings:


REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/3702558539639477516

 

TR-21-110-001_Joker_Android.pdf

 

https://www.securityweek.com/joker-android-trojan-lands-huawei-appgallery-app-store

 

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!