Joker Virus — Analyzing the Unobtrusive Performance of the Intriguing Bread Virus
Comprehending the hacker’s mind of coding
The intriguing Trojan Malware named, the Joker Virus has once again found its spot onstage, creeping through yet more of the apps in the Play Store. The virus which first appeared in Play Store apps back in 2017, and then again last year 2020, has yet again become a topic of debate presently.
As intriguing and astounding as its name sounds, the motive behind it is absolutely not something jollifying. It rather has the capacity to eat up the entire bank or credit card balances of an infected Android phone’s owner.
What is the Joker Virus and how it imposes a situation of threat for your bank accounts and credit cards? Learn about it in my other article:
What’s worse about the Joker Virus is that it is a type of malware that goes undetected by most Antimalwares because of the classic yet advanced, and innovative encryption techniques that the hackers employed in the code snippets containing the actual virus.
From the list of 8 applications, from the Play Store, that were infected as of the year 2021, we’ll consider one which is Easy QR Scanner — an Android scanning Application — and analyze how hackers have disguised a snippet of code that imposes a threat to your hard-earned bread and butter.
If you haven’t read the previous article that I referred to above, here’s a small overview of how the virus works: You install one of those 8 infected apps on your Android device(not knowing anything about the virus). After installation, on its first runtime, it requests several permissions of which access to SMS, contacts, phone device info are the ones that require your attention but normally, we all ignore them and simply tap ‘Allow’ against every request.
Once you tap on that Allow button, it gives the virus the access to send SMS texts to vendors and make shady subscriptions in your name without you noticing it. These shady subscriptions cost a fee that at the end of the month appears in your carrier charge’s ‘additional costs’ section.
Other than the SMS Billing obfuscation, the Joker Virus hackers have also used Toll Billing fraud in which a user is provided a payment endpoint over a webpage. When a user clicks on the URL embed provided to them by hackers via their ‘carrier operator’(SIM card company) and adds their phone numbers at payment completion, the hackers learn about the phone number and even verify to check if the request coming in is from the same user by either of the two methods:
- When a user clicks on that embedded URL, their device’s data connectivity toggles(without them knowing) so that the user is connected to the mobile data and not the Wifi. That way, since the Service Provider is directly handling the connection of the mobile operator, the phone number can be easily traced and validated.
- The user is required to retrieve a passcode sent to them via SMS into the webpage which opens when the user clicks on the embedded URL. That way, a user himself verifies the access of the phone number to which the SMS was sent.
The two techniques of Toll Billing and SMS Billing have been used so far by the hackers behind Joker Virus. Whatever may be the technique they employ, their aim is to get carrier info and the phone numbers of users to automate the shady subscriptions that would keep piling up surcharges on user’s behalf without them knowing.
Analyzing the Hacker’s Mind of Coding
So, how do the hackers put together the code snippet that keeps the virus hidden from antimalware software while functioning constantly in the background? Let's take a look at the network logging report(Toll Billing fraud going on here) of the Easy QR Scanner app which was infected by the Joker Virus.
Step#1 — The first launch of an application after Installation
The app at the first launch requests the following four permissions:
- Access to Camera
- Access to Contacts
- Access to Phone Storage
- Access to SMS Notifications
Once you Allow all of the above, the app launches a Camera to scan a QR code provided by the application itself. The QR code holds information of an embedded URL which, when scanned, opens up that embedded URL in a browser tab. Whether the page loads completely or not, it does however trigger the virus to start its action by downloading payloads one after the other without the user knowing.
Now this action of the app goes unnoticed by the anti-virus software installed on your device because the hackers have made use of the Tencent Packer which basically hides the malicious code so that the anti-virus engines (of even the Play Store) fail to detect them. Here’s how a downloaded App package from the Play Store looks like:
See that Tencent.StubShell file? That’s the encrypted packet containing code to hide malicious activity that is downloading payloads in the background without the user knowing. The first runtime of the application installer downloads runs a first network log entry. When the tencent.StubShell file is unpacked, it contains instructions to download three payloads consecutively with each payload having an instructional request to download the next payload automatically. Here’s the screenshot of the activity obtained through APK analyzer software:
All three payloads are downloaded using the GET method/command from the same domain, however, different paths. The first payload is named xiwa.doc and it contains the snippet code to download the next payload.
Here’s how the programming of the first payload looks like:
After successful execution of the first payload, the second payload is executed which first checks for SIM Operator type. This is done using the getSimOperator command. Once the getSimOperator command is executed successfully, it returns both: mobile country code and mobile network code. Upon receiving this information, the application code then sends an OTP for a confirmation request to validate the process and gain access to the phone number as well.
When the users approve the confirmation request by sending back the OTP, their phone numbers along with carrier information, all become vulnerable to the virus. It then proceeds with subscribing the user to premium services — the main action of the Joker Virus. This is done by a code snippet hidden in the final stage (3rd) payload, automatically once the user sends back the OTP to confirm access to the device.
onReceive() command is used here to collect all user information(mobile number with complete carrier information+device info) from the confirmation message coming from the Broadcast Receiver.
Here’s the snippet of code for the onReceive command used for Easy QR Application by Hackers.
The final stage payload also contains string obfuscation to remain on the safe side from pattern-based signature detections which also helps in hiding the malicious activity of the virus. Pattern-based detection is a type of security check that analyzes the source codes for previously known threats; those threats whose unique identifiers have been established ever since they were discovered. By using string obfuscation, hackers bypass those identifiers similarity check and hence remain undetected by pattern-based signature detections.
Here’s how the string obfuscation appeared in the source code of the Easy QR Scanner App.
There you have it, a small insight into how hackers do malicious coding to get to their desired results. Most of the time the applications appear to work smoothly, efficiently, and absolutely benign until the user realizes either the surcharges on their monthly bills or becomes curious enough to explore the ‘behind the scenes’ process of the application in APK Analyzing Software.
It is therefore recommended to download applications via known and reliable sources to avoid becoming a victim of cybercrime.
Disclosure: This content is written with the sole purpose of education and learning only, and not to persuade anyone to adopt the ambition or profession of hacking whatsoever.
Read more of my story content and lots of other unlimited fun articles on Medium written by outstanding authors. Get Medium’s Monthly Subscription for $5 only and get instant access to unlimited fun content on the platform.
Note: The above link is a membership link, meaning if you join the medium platform as a reader or maybe as a writer via this link, I’ll earn a small amount of commission with absolutely no extra cost to you.
