September 20, 2019

Joker Trojan

Entry Type
Security Guidance
Platform(s) Affected
Android
Threat Type
Malware
Platform(s) Affected
Security Guidance
Android
Malware

How Lookout Protects and Recommendation for Admins

We recommend blacklisting apps that are infected with Joker. Even though they’ve been removed from the Play Store, the malware can still work if the app is already installed on a device. As a general best practice, employees should not be installing 3rd party camera and wallpaper apps, which is what most of these are, on work or personal devices.

Overview

Joker is a new Trojan on the Google Play store that has been detected in 24 apps with over 472,000 installs in total. It can silently interact with advertising websites that have an offer attached, steal the victim’s SMS messages, and pull both contact list and device information. At the time of this document’s creation, all 24 apps have been removed from the Google Play Store.

The attacker uses the offers on these ad websites to generate small increments of income by silently accepting the offer on behalf of the victim without his or her knowledge.

How Does it Work?

An infected app will install a Loader by displaying a splash screen, which performs initialization processes silently in the background. Upon completion, the malware will download an obfuscated and AES-encrypted configuration, which is decrypted into a string that contains all necessary information about the core second stage of Joker.

The second stage Core component creates minimal footprint and periodically requests new commands from the C&C server, which are executed in a strict order. Upon receipt of the command message, Joker opens a URL to the ad site with an offer attached, wait for the SMS message with an authorization code to arrive, pulls the code, and enters it into the offer page. Once entered, Joker sends a note to the C&C server that the job is completed, and the process starts again.

Finally, the Core component can collect all numbers in the victim’s contact list and send them to the C&C server in encrypted format.

How Lookout Protects and Recommendation for Admins

We recommend blacklisting apps that are infected with Joker. Even though they’ve been removed from the Play Store, the malware can still work if the app is already installed on a device. As a general best practice, employees should not be installing 3rd party camera and wallpaper apps, which is what most of these are, on work or personal devices.

Colleagues standing in an open meeting area and sharing a humorous moment

Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.

Other Related Threats

New

September 22, 2023

iOS 16.6.1 and iOS 17.0

Apple recently released two software updates for iOS and iPad OS for vulnerabilities that can form an exploit chain and are also known to install Predator spyware.

September 15, 2023

Scattered Spider

September 19, 2023

CVE-2023-4863