The Joker Trojan plays the Google PlayStore

-

The Joker Trojan (also known as the Bread Trojan) is an Android dropper with spyware capabilities. It is often hidden within advertisements to trick users into clicking on and downloading the malware. Usually, it only targets SIM cards with specific country codes, geo-fencing the victims. It is used by financial attackers to harvest a user's device information, contact list, text messages, and will sign them up to premium subscriptions.

APK Lab recently disclosed that two available apps that contain the Joker Trojan managed to sneak past protection systems and were uploaded to the Google Play Store. The apps containing the Trojan, called ‘Speed Message’ and ‘Botmatic Messages’, currently have over 11,000 installs combined:

VirusTotal Graph:

Once installed, the malware contacts the attacker’s C2 server and pulls the malicious payload. Further investigation into the IP address of the attacker’s C2 server led me to find three more apps, called ‘Playful Game Station’, ‘Watch SMS’, and ‘HS Photo Collage’, that all contain Joker Dropper too.


Watch SMS

HS Photo Collage

Interestingly, security researcher @ReBensk has recently uncovered a fake version of WhatsApp called ‘FmWhats latest version’ on the Play Store that contains the Joker Trojan. It is currently still available and has over 500,000 installs. 



FmWhats latest version

Archived from Google PlayStore: 



Further investigation led me to find samples of the Trojan and additional analysis. What was found is that the fake WhatsApp is Google Play Protect-verified, bypassing the security systems. It also contains adverts and collects users' contact information such as emails and phone numbers before it stops working. Hundreds of users have also left one-star reviews for the fake app. However, there are also a large number of five-star reviews from suspected bot accounts that leave a description like ‘good’ or ‘nice’. Reviews - http://archive.vn/saKHM

@MalwareHunterTeam also uncovered another Trojanised app with the Joker malware called ‘Separate Wallpapers’ that has over 100,000 installs and is still currently available on the Play Store. This takes the total up to around 600,000 installs of these fake apps. Archived on the PlayStore: http://archive.vn/lp2Pr

Mitre ATT&CK TTPs:

Techniques:
T1416 - Android Intent Hijacking
T1417 - Input Capture (Mobile)
T1516 - Input Injection (Mobile)
T1453 - Abuse Accessibility Features
T1432 - Access Contact List
T1412 - Capture SMS Messages
T1475 - Deliver Malicious App via Authorized App Store
T1204 - User Execution
T1203 - Exploitation for Client Execution

Mitigation:
M1005 - Application Vetting
M1012 - Enterprise Policy
M1011 - User Guidance

IOCs are available here.

Sources:

Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

-
Image
Logo credit: RedCanary Ever since it first appeared in late 2021, the Raspberry Robin malware campaign has been propagating globally. A number of threat intelligence reports by vendors such as RedCanary (who named it) and Microsoft (who track it as DEV-0856/Storm-0856) have covered the malware campaign in great detail.  In fact, the list of blogs I do recommend to read to catch up on this threat are as follows: https://redcanary.com/blog/raspberry-robin https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity https://blog.sekoia.io/raspberry-robins-botnet-second-life/ https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/ https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/ https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-spreads-over-e
Read more

Tracking Adversaries: Scattered Spider, the BlackCat affiliate

-
Image
After tracking the cybercrime threat landscape on a day-to-day basis for over four years now, it’s not that often anymore that something surprises me. But the latest trend of a suspected English-speaking big game hunting cybercriminal group, tracked under the moniker as Scattered Spider by CrowdStrike or 0ktapus by Group-IB, teaming up with a Russian-speaking ransomware group known as BlackCat (or ALPHV) has caught my attention. Background on Scattered Spider CrowdStrike introduced Scattered Spider in December 2022 and shared an update in January 2023 . These financially motivated English-speaking threat actors are known for their unique style of attacks, which usually all begin the same way, either via an SMS phishing message to harvest credentials or via an old school (yet still very effective) social engineering vishing call to get credentials or get the target to download malicious software and provide access. Other tricks Scattered Spider is known for includes multi-factor
Read more

Lessons from the iSOON Leaks

-
Image
  Introduction A Chinese Ministry of Public Security (MPS) contractor called  iSOON (also known as Anxun Information) that  specializes in network penetration research and related services has had its data leaked to GitHub. Based on the level of detail, leaked chat logs, amount of data, and corroboration from overlaps indicators of compromise (IOCs), there is a high level of confidence it is legit. Preliminary findings from less than one week since the leak revealed that it contains unprecedented insights into how the Chinese MPS operates by using Chinese commercial surveillance vendors and what their technical capabilities are. The Chinese MPS is China’s internal security service that primarily focuses on  internal and border security, counter-terrorism, surveillance. The MPS is comparable to the  Russian FSB, the US DHS or the UK’s MI5. The most interesting findings have come from iSOON’s product whitepapers and confidential slide deck presentations given to their MPS clients. About
Read more