The Joker – Android Malware
An article on the CSIS TechBlog looks into a new Android Trojan named “Joker” which was detected in 24 apps on the GooglePlay store. It has been collectively downloaded more than 472,000 times. After an infected app is installed, a second stage is downloaded that can steal the victim’s SMS messages, contact list, and information about the device, which it sends to is C&C server.
It is also able to interact with advertising sites automatically and silently sign users up for paid subscription services. The malware operates conditionally on the geography in which an infected device is located. Some 37 countries were identified as being targeted by the malware.
The Joker malware only attacks targeted countries. Most of the infected apps contain a list of Mobile Country Codes (MCC) and the victim has to be using a SIM card from one of these countries in order to receive the second stage payload. The majority of the discovered apps target the EU and Asian countries, however, some apps allow for any country to join.
The malware is controllable by the C&C server operators, which allows them to craft specific jobs and tasks.
Further details – https://medium.com/csis-techblog/analysis-of-joker-a-spy-premium-subscription-bot-on-googleplay-9ad24f044451
YARA Rule
Loader YARA rule:
rule android_joker {
strings:
$c = { 52656D6F746520436C6F616B } // Remote Cloak
$cerr = { 6E6574776F726B2069737375653A20747279206C61746572 } // network issue: try later
$net = { 2F6170692F636B776B736C3F6963633D } // /api/ckwksl?icc=
$ip = { 332E3132322E3134332E3236 } // 3.122.143.26
condition:
($c and $cerr) or $net or $ip
}
Indicators of Compromise
The first stage (payload distribution) C&C: http://3.122.143[.]26/ Main C&Cs: http://joker2.dolphinsclean[.]com/ http://beatleslover[.]com/ http://47.254.144[.]154/Second stage binaries (Core): https://s3.amazonaws.com/media.site-group-df[.]com/s8-release https://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/s8–5-release https://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/s8-5-dsp-release https://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/s8-all https://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/s9-3-sendsms https://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/s9–6-release https://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/s9–6–2-release https://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/s9-6-3 https://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/Y12-all-no-log https://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/Y12-no-log https://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/Y13-all https://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/Y13-all-v2-no-log

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.