The Joker Trojan plays the Google PlayStore

The Joker Trojan (also known as the Bread Trojan) is an Android dropper with spyware capabilities. It is often hidden within advertisements to trick users into clicking on and downloading the malware. Usually, it only targets SIM cards with specific country codes, geo-fencing the victims. It is used by financial attackers to harvest a user's device information, contact list, text messages, and will sign them up to premium subscriptions.

APK Lab recently disclosed that two available apps that contain the Joker Trojan managed to sneak past protection systems and were uploaded to the Google Play Store. The apps containing the Trojan, called ‘Speed Message’ and ‘Botmatic Messages’, currently have over 11,000 installs combined:

VirusTotal Graph:

Once installed, the malware contacts the attacker’s C2 server and pulls the malicious payload. Further investigation into the IP address of the attacker’s C2 server led me to find three more apps, called ‘Playful Game Station’, ‘Watch SMS’, and ‘HS Photo Collage’, that all contain Joker Dropper too.

Watch SMS

HS Photo Collage

Interestingly, security researcher @ReBensk has recently uncovered a fake version of WhatsApp called ‘FmWhats latest version’ on the Play Store that contains the Joker Trojan. It is currently still available and has over 500,000 installs. 

FmWhats latest version

Archived from Google PlayStore: 

Further investigation led me to find samples of the Trojan and additional analysis. What was found is that the fake WhatsApp is Google Play Protect-verified, bypassing the security systems. It also contains adverts and collects users' contact information such as emails and phone numbers before it stops working. Hundreds of users have also left one-star reviews for the fake app. However, there are also a large number of five-star reviews from suspected bot accounts that leave a description like ‘good’ or ‘nice’. Reviews -

@MalwareHunterTeam also uncovered another Trojanised app with the Joker malware called ‘Separate Wallpapers’ that has over 100,000 installs and is still currently available on the Play Store. This takes the total up to around 600,000 installs of these fake apps. Archived on the PlayStore:

Mitre ATT&CK TTPs:

T1416 - Android Intent Hijacking
T1417 - Input Capture (Mobile)
T1516 - Input Injection (Mobile)
T1453 - Abuse Accessibility Features
T1432 - Access Contact List
T1412 - Capture SMS Messages
T1475 - Deliver Malicious App via Authorized App Store
T1204 - User Execution
T1203 - Exploitation for Client Execution

M1005 - Application Vetting
M1012 - Enterprise Policy
M1011 - User Guidance

IOCs are available here.


Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

Tracking Adversaries: Scattered Spider, the BlackCat affiliate

Lessons from the iSOON Leaks