• Australia
• Austria
• Belgium
• Brazil
• China
• Cyprus
• Egypt
• France
• Germany
• Ghana
• Greece
• Honduras 
• India
• Indonesia
• Ireland
• Italy
• Kuwait
• Malaysia
• Myanmar
• Netherlands
• Norway
• Poland
• Portugal
• Qatar
• Republic of Argentina
• Serbia
• Singapore
• Slovenia
• Spain
• Sweden
• Switzerland
• Thailand
• Turkey
• Ukraine
• United Arab Emirates
• United Kingdom
• United States

• SMS extraction/ OTP extraction
• Multi-staged operation
• Unauthorized user interaction 
• Money stealing
• JavaScript command injection
• Phone book contact extraction

• Initial loading is done via a Joker Initialization Component, which is inserted in the advertisement frameworks of legitimate applications.
• After initialization, the malware will download AES encrypted configuration from the C2 server. And at the beginning of the second stage, a specially crafted string is sent to the C2 server for payload extraction. 
• Eventually Joker will download the malware kit, a dex file, on the completion of the second stage.
• Dynamic loading of dex files are implemented to minimize Joker’s fingerprints on the device.

Impact

Technical Impact

• Malware makes subscriptions to premium services on behalf of the users.
• Grabs text messages for OTP stealing.
• Malware has the ability to interact with permission prompts without  user’s consent making unauthorized approvals on client’s behalf to install additional tools.
• It is capable of extracting contacts from the phone, compromising the privacy of users.
• Command injection lets malware access filesystems and exfiltrate user data.
• Steals user form data to obtain credit card information.

Business Impact

• Compromise of critical employee data via mobile attacks gives attackers access to enterprise networks.
• Nation states target mobile platforms to carry out espionage attacks against large businesses and critical infrastructures.

Mitigations

• Remove all the applications mentioned in the section ‘Indicators of Compromise’ below.
• Check credit card bills/ account statements.
• Install an EDR solution for your mobile phone.

Indicators of Compromise

First stage (payload distribution) C&C: 

http://3.122.143[.]26/

Main C&Cs:

Second stage binaries (Core):

Unpacked second stage of the build "Y13-all-v2-no-log" SHA256: 

Loader YARA rule:

rule android_joker {     

    strings:

        $c = { 52656D6F746520436C6F616B } // Remote Cloak

        $cerr = { 6E6574776F726B2069737375653A20747279206C61746572 } // network issue: try later

        $net = { 2F6170692F636B776B736C3F6963633D } // /api/ckwksl?icc=

        $ip = { 332E3132322E3134332E3236 } // 3.122.143.26     

    condition:

        ($c and $cerr) or $net or $ip 

}

Infected Android Apps