The Joker Trojan (also known as the Bread Trojan) is an Android dropper with spyware capabilities. It is often hidden within advertisements to trick users into clicking on and downloading the malware. Usually, it only targets SIM cards with specific country codes, geo-fencing the victims. It is used by financial attackers to harvest a user’s device information, contact list, text messages, and will sign them up to premium subscriptions.
APK Lab recently disclosed that two available apps that contain the Joker Trojan managed to sneak past protection systems and were uploaded to the Google Play Store. The apps containing the Trojan, called ‘Speed Message’ and ‘Botmatic Messages’, currently have over 11,000 installs combined:
VirusTotal Graph:
Once installed, the malware contacts the attacker’s C2 server and pulls the malicious payload. Further investigation into the IP address of the attacker’s C2 server led me to find three more apps, called ‘Playful Game Station’, ‘Watch SMS’, and ‘HS Photo Collage’, that all contain Joker Dropper too.
Playful Game Station https://koodous.com/apks/c1fe3d54dbb3d5bea5ee38282c28a913210964cdac03b2c6ad0f5f432077c38b
Watch SMS
HS Photo Collage
Interestingly, security researcher @ReBensk has recently uncovered a fake version of WhatsApp called ‘FmWhats latest version’ on the Play Store that contains the Joker Trojan. It is currently still available and has over 500,000 installs.
FmWhats latest version
SHA256: 25993bc8a9d54bde576da7c23cef6521d78ff7f9b77b6e289b294c3bd948a918
Archived from Google PlayStore:
Listing – http://archive.vn/G2YsK
Further investigation led me to find samples of the Trojan and additional analysis. What was found is that the fake WhatsApp is Google Play Protect-verified, bypassing the security systems. It also contains adverts and collects users’ contact information such as emails and phone numbers before it stops working. Hundreds of users have also left one-star reviews for the fake app. However, there are also a large number of five-star reviews from suspected bot accounts that leave a description like ‘good’ or ‘nice’. Reviews – http://archive.vn/saKHM
@MalwareHunterTeam also uncovered another Trojanised app with the Joker malware called ‘Separate Wallpapers’ that has over 100,000 installs and is still currently available on the Play Store. This takes the total up to around 600,000 installs of these fake apps. Archived on the PlayStore: http://archive.vn/lp2Pr
Mitre ATT&CK TTPs:
Techniques:
T1416 – Android Intent Hijacking
T1417 – Input Capture (Mobile)
T1516 – Input Injection (Mobile)
T1453 – Abuse Accessibility Features
T1432 – Access Contact List
T1412 – Capture SMS Messages
T1475 – Deliver Malicious App via Authorized App Store
T1204 – User Execution
T1203 – Exploitation for Client Execution
Mitigation:
M1005 – Application Vetting
M1012 – Enterprise Policy
M1011 – User Guidance
IOCs are available here.
Sources: