Tech giants from Zscaler ThreatLabZ research team identified 17 apps and alerted Google as those Apps were infected with joker malware app and were reportedly stealing details like SMS, contact details and device information from affected phone’s.
The 17 apps included the following:
- All Good PDF Scanner
- Mint Leaf Message-Your Private Message
- Unique Keyboard – Fancy Fonts & Free Emoticons
- Tangram App Lock
- Direct Messenger
- Private SMS
- One Sentence Translator – Multifunctional Translator
- Style Photo Collage
- Meticulous Scanner
- Desire Translate
- Talent Photo Editor – Blur focus
- Care Message
- Part Message
- Paper Doc Scanner
- Blue Scanner
- Hummingbird PDF Converter – Photo to PDF
- All Good PDF Scanner
Joker Malware:-
Reportedly, the malware stole money from a user’s account by signing them up for premium subscriptions. It starts by silently simulating interaction with an advertisement without the user knowing and then even steals the victim’s SMS messages, which might contain OTP(One Time Password) to authenticate payments.
Which means, with the access to their SMS inbox, the hacker could be stealing money without the users knowing anything about it, unless they check their account statement.
“This strategy works by automating the necessary interaction with the premium offer’s webpage, entering the operator’s offer code, then waiting for a SMS message with a confirmation code and extracting it using regular expressions. Finally, the Joker submits the extracted code to the offer’s webpage, in order to authorize the premium subscription,” the post reads.
IOCs
Infected Apps on GooglePlay:
| MD5s | Package Name |
| 2086f0d40e611c25357e8906ebb10cd1 | com.carefrendly.message.chat |
| b8dea8e30c9f8dc5d81a5c205ef6547b | com.docscannercamscanpaper |
| 5a5756e394d751fae29fada67d498db3 | com.focusphoto.talent.editor |
| 8dca20f649f4326fb4449e99f7823a85 | com.language.translate.desire.voicetranlate |
| 6c34f9d6264e4c3ec2ef846d0badc9bd | com.nightsapp.translate.sentence |
| 04b22ab4921d01199c9a578d723dc6d6 | com.password.quickly.applock |
| b488c44a30878b10f78d674fc98714b0 | com.styles.simple.photocollage.photos |
| a6c412c2e266039f2d4a8096b7013f77 | com.unique.input.style.my.keyboard |
| 4c5461634ee23a4ca4884fc9f9ddb348 | dirsms.welcome.android.dir.messenger |
| e4065f0f5e3a1be6a56140ed6ef73df7 | pdf.converter.image.scanner.files |
| bfd2708725bd22ca748140961b5bfa2a | message.standardsms.partmessenger |
| 164322de2c46d4244341e250a3d44165 | mintleaf.message.messenger.tosms.ml |
| 88ed9afb4e532601729aab511c474e9a | omg.documents.blue.pdfscanner |
| 27e01dd651cf6d3362e28b7628fe65a4 | pdf.maker.scan.image.phone.scanner |
| e7b8f388051a0172846d3b3f7a3abd64 | prisms.texting.messenger.coolsms |
| 0ab0eca13d1c17e045a649be27927864 | com.gooders.pdfscanner.gp |
| bfbe04fd0dd4fa593bc3df65a831c1be | com.powerful.phone.android.cleaner |
URLs of payload distribution
blackdragon[.]oss-ap-southeast-5[.]aliyuncs[.]com/privateSMS_ba[.]htm
blackdragon03[.]oss-ap-southeast-5[.]aliyuncs[.]com/partMessage_base[.]css
blackdragon03[.]oss-ap-southeast-5[.]aliyuncs[.]com/partMessage_config[.]json
nineth03[.]oss-ap-southeast-5[.]aliyuncs[.]com/MeticulousScanner_bs[.]mp3
sahar[.]oss-us-east-1[.]aliyuncs[.]com/care[.]asf
sahar[.]oss-us-east-1[.]aliyuncs[.]com/onesentence[.]asf
sahar[.]oss-us-east-1[.]aliyuncs[.]com/onesentence2[.]asf
sahar[.]oss-us-east-1[.]aliyuncs[.]com/saiks[.]asf
sahar[.]oss-us-east-1[.]aliyuncs[.]com/tangram[.]asf
sahar[.]oss-us-east-1[.]aliyuncs[.]com/tangram2[.]asf
sahar[.]oss-us-east-1[.]aliyuncs[.]com/twinkle[.]asf
2j1i9uqw[.]oss-eu-central-1[.]aliyuncs[.]com/328718737/armeabi-v7a/ihuq[.]sky
blackdragon[.]oss-ap-southeast-5[.]aliyuncs[.]com/blackdragon[.]html
blackdragon[.]oss-ap-southeast-5[.]aliyuncs[.]com/privateSMS[.]json
fgcxweasqw[.]oss-eu-central-1[.]aliyuncs[.]com/fdcxqewsswq/dir[.]png
jk8681oy[.]oss-eu-central-1[.]aliyuncs[.]com/fsaxaweqwa/amly[.]art
n47n[.]oss-ap-southeast-5[.]aliyuncs[.]com/H20PDF29[.]txt
n47n[.]oss-ap-southeast-5[.]aliyuncs[.]com/font106[.]ttf
nineth03[.]oss-ap-southeast-5[.]aliyuncs[.]com/blackdragon[.]html
proxy48[.]oss-eu-central-1[.]aliyuncs[.]com/m94[.]dir
proxy48[.]oss-eu-central-1[.]aliyuncs[.]com/response[.]js
laodaoo[.]oss-ap-southeast-5.aliyuncs[.]com/allgood2[.]webp
laodaoo[.]oss-ap-southeast-5[.]aliyuncs[.]com/flower[.]webp
rinimae[.]oss-ap-southeast-5[.]aliyuncs.com/powerful[.]mov
rinimae[.]oss-ap-southeast-5[.]aliyuncs.com/powerful2[.]mov
rinimae[.]oss-ap-southeast-5[.]aliyuncs.com//intro[.]mov
Final C&C:
161[.]117[.]229[.]58
161[.]117[.]83[.]26
47[.]74[.]179[.]177
Safety advice:-
Even the very secure Google Play Store may be targeted by virus Trojan developers to achieve the spread of its Trojan horse, so it is recommended for the safety of the general user:
- Do not use niche APPS.
- Download the app to identify the major app stores or go to the big factory APP official website to download.
- Pay attention to the security vendor security news, once found that the disclosed Trojan APP appears on their mobile phones, timely contact professional security personnel to deal with.
We recommend paying close attention to the permission list in the apps that you install on your Android device. Always watch out for the risky permissions related to SMS, call logs, contacts, and more. Reading the comment or reviews on the app page also helps identify compromised apps.
Leave A Comment