Researchers uncovered a new wave of Android malware campaign ” Joker” which posed as a QR scanner to target Android users.
Joker malware carries functionalities of both Spyware and Trojan capabilities, and quite sophisticated remain undetected through the traditional malware analysis methods.
The malware was initially found from the Google play store where their attacker hides a legitimate application that posed as Free QR Scanner uploaded with the developer name “Marcelo Bruce”.
This variant was identified through a lead from a Tweet, and the app was present in the Google Play Store till July 05, 2021, also confirmed that the app was an updated version of Joker that downloads additional malware to the infected device to subscribe to the premium services without user knowledge.
Joker malware authors keep modifying the application to evade the play protect detection, and those changes including the execution methods, and using different payload retrieving techniques.
Attackers adapt the traditional evasion technique of Dynamic Code Loading (DCL) and reflection that helps attackers to drop the malicious file on the victim’s device.
Once the file gets installed and launched by the victim, the malicious app establishes a connection to the Command and control server drops a trojan.
According to the Cyble report, “The malware initiates malicious behavior from the application subclass, qr.barcode.scanner.ScannerApp. This class is executed first when the user starts the application.”
During the infection process, researchers observed that the attackers using a class called “Ferry” that has the capability of reading notifications received by the victim’s device including text messages, and cancel them without user knowledge.
“The application has several Wireless Application Protocol (WAP) subscription URLs for its billing service. WAP billing is a payment method for purchasing content from sites, with the charges being directly added to the mobile phone bill. Using this billing service, attackers can target countries including the U.S., the U.K., India, Thailand, and Vietnam”
These Unknown subscriptions charging victims on a daily, weekly, or monthly basis, thereby allowing attackers to gain monetary benefits.
Joker malware eventually steals Text messages, device information, contact details also capable of stealing money Stolen from the user’s bank account without the victim’s knowledge.
IOC type – SHA256
Malicious URL
The GitVenom campaign, a sophisticated cyber threat, has been exploiting GitHub repositories to spread malware…
In a recent escalation of cyber threats, hackers have launched a targeted campaign, identified as…
A recent cybersecurity investigation has uncovered a cluster of 16 malicious Chrome extensions that have…
A significant vulnerability has been discovered in the Sliver C2 server, a popular open-source cross-platform…
A significant breakthrough in bypassing Windows activation has been achieved with the introduction of TSforge,…
The AhnLab Security Intelligence Center (ASEC) has uncovered a new cyberattack campaign leveraging the LummaC2…