Thursday, April 18, 2024

Malicious Android App Posed As QR Scanner To Launch Joker Malware That Steals SMS Data

Researchers uncovered a new wave of Android malware campaign ” Joker” which posed as a QR scanner to target Android users.

Joker malware carries functionalities of both Spyware and Trojan capabilities, and quite sophisticated remain undetected through the traditional malware analysis methods.

The malware was initially found from the Google play store where their attacker hides a legitimate application that posed as Free QR Scanner uploaded with the developer name “Marcelo Bruce”.

This variant was identified through a lead from a Tweet, and the app was present in the Google Play Store till July 05, 2021, also confirmed that the app was an updated version of Joker that downloads additional malware to the infected device to subscribe to the premium services without user knowledge.

Joker Malware Infection Process

Joker malware authors keep modifying the application to evade the play protect detection, and those changes including the execution methods, and using different payload retrieving techniques.

Attackers adapt the traditional evasion technique of Dynamic Code Loading (DCL) and reflection that helps attackers to drop the malicious file on the victim’s device.

Once the file gets installed and launched by the victim, the malicious app establishes a connection to the Command and control server drops a trojan.

According to the Cyble report, “The malware initiates malicious behavior from the application subclass, qr.barcode.scanner.ScannerApp. This class is executed first when the user starts the application.”

Joker Malware

During the infection process, researchers observed that the attackers using a class called “Ferry” that has the capability of reading notifications received by the victim’s device including text messages, and cancel them without user knowledge.

“The application has several Wireless Application Protocol (WAP)  subscription URLs for its billing service. WAP billing  is a payment method for purchasing content from sites, with the charges being directly added to the mobile phone bill. Using this billing service,  attackers  can  target countries including the U.S., the U.K., India, Thailand,  and Vietnam”

These Unknown subscriptions charging victims on a daily, weekly, or monthly basis, thereby allowing attackers to gain monetary benefits. 

Joker malware eventually steals Text messages, device information, contact details also capable of stealing money Stolen from the user’s bank account without the victim’s knowledge.

Mitigation for this kind of Malware

  • Keep your anti-virus software updated to detect and remove malicious software. 
  • Uninstall the application if you find this malware on your device. 
  • Keep your system and applications updated to the latest versions. 
  • Use strong passwords and enable two-factor authentication. 
  • Download and install software only from trusted sites and official app stores. 
  • Verify the privileges and permissions requested by apps before granting them access. 


IOC type – SHA256

  • a18508d9047fe87da2bf14211c3f31c5ad48277348eb5011fdfe4dd7dac13d52 
  • 0840f6feef265393c929ac61e0b1b04faa3999e1ae5655fd332ec674be2661a0 
  • f772532dc7b83242e54cfec2bf740f12c13b1f2fce9da188da19b6df55da4fab 
  • 3aac23064f58f32f8cd345b9455be3d638f5ae8658bbc6badcedcb111b002572 

Malicious URL

  • hxxp:// Interesting
  • hxxp:// Interesting
  • hxxp:// Interesting
  • hxxp:// Interesting
  • hxxp:// Interesting

Latest articles

Palo Alto ZeroDay Exploited in The Wild Following PoC Release

Palo Alto Networks has disclosed a critical vulnerability within its PAN-OS operating system, identified...

FIN7 Hackers Attacking IT Employees Of Automotive Industry

IT employees in the automotive industry are often targeted by hackers because they have...

Russian APT44 – The Most Notorious Cyber Sabotage Group Globally

As Russia's invasion of Ukraine enters its third year, the formidable Sandworm (aka FROZENBARENTS,...

SoumniBot Exploiting Android Manifest Flaws to Evade Detection

A new banker, SoumniBot, has recently been identified. It targets Korean users and is...

LeSlipFrancais Data Breach: Customers’ Personal Information Exposed

LeSlipFrancais, the renowned French underwear brand, has confirmed a data breach impacting its customer...

Cisco Hypershield: AI-Powered Hyper-Distributed Security for Data Center

Cisco has unveiled its latest innovation, Cisco Hypershield, marking a milestone in cybersecurity.This groundbreaking...

Phishing-as-a-Service Platform LabHost Seized by Authorities

Authorities have dismantled LabHost, a notorious cybercrime platform that facilitated widespread phishing attacks across...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.


Mastering WAAP/WAF ROI Analysis

As the importance of compliance and safeguarding critical websites and APIs grows, Web Application and API Protection (WAAP) solutions play an integral role.
Key takeaways include:

  • Pricing models
  • Cost Estimation
  • ROI Calculation

Related Articles