Full Report
CERT Polska has recently observed new samples of the “Joker” mobile malware. The applications are present in the Google Play Store and target Polish users, among others.
Analysis Summary
# Tool/Technique: Joker Mobile Malware (New Samples)
## Overview
New samples of the "Joker" mobile malware have been observed by CERT Polska, distributed via applications in the Google Play Store, specifically targeting Polish users among others. The malware is designed to facilitate unauthorized subscriptions to premium services by automatically intercepting SMS messages and confirming transactions using extracted codes.
## Technical Details
- Type: Malware family (Mobile)
- Platform: Android
- Capabilities: SMS retrieval, communication obfuscation, automatic premium subscription sign-up, transaction confirmation.
- First Seen: Based on report date, observed recently (October 2024).
## MITRE ATT&CK Mapping
*Note: Mappings are inferred based on described capabilities.*
- **TA0001 - Initial Access**
- T1484 - Acquire Infrastructure Resource
- T1484.002 - Compromise a Cloud Account or Infrastructure (If using cloud storage for delivery/C2)
- **TA0003 - Persistence**
- T1541 - Persistent File or Information Data Staging (Storing configuration/credentials/SMS content temporarily)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- T1027.004 - Compile-Time Obfuscation (Deception via benign app interface, string encryption)
- **TA0008 - Lateral Movement** (Not explicitly detailed, but often a follow-on goal)
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel (Exfiltrating transaction data/SMS content)
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (Use of HTTP/HTTPS)
- **TA0013 - Credential Access**
- T1056 - Input Capture
- T1056.001 - Keylogging (Implied by capturing transaction codes from SMS)
## Functionality
### Core Capabilities
- **Application Deception:** Presents a benign interface ("beauty camera") matching the Google Play Store description to users.
- **Code Obfuscation:** Utilizes XOR encryption (specifically with an obfuscation function `AbstractC1835n.m226m`) to hide critical strings, notably C2 domains.
- **Network Initialization:** Initializes communication using an obfuscated base URL (`kamisatu[.]top`).
- **SMS Interception/Retrieval:** Continuously retrieves and saves SMS messages from the user's device.
- **Transaction Confirmation:** Parses retrieved SMS messages to find transaction confirmation codes (e.g., codes matching patterns like `(kod|PIN|code)` in the SMS body).
### Advanced Features
- **Automated Subscription:** Uses the retrieved PIN codes to automatically confirm premium service transactions via HTTP POST requests to an e-payment API (`https://epayment.teleaudio.pl/api2/ta/direct/confirm`).
- **Transaction Status Check:** Sends status requests to verify if the subscription was "Transakcja zakończona pomyślnie" (Transaction successfully completed).
- **Encrypted Communication Setup:** Employs proprietary or custom encryption/encoding routines (`C0005LfUtNUXX`) when sending confirmation data to the payment endpoints.
## Indicators of Compromise
- File Hashes:
- Stage one (APK): `1ad4d8037d6890f317dc28bb53c1eb03`
- Stage two (Decoded DEX): `f508a96654c355b8bd575f8d8ed8a157`
- Other related samples: `962c0590dd3d2cdb707e32ae8b30bcfc`, `bcfe46df4d66cc3c6f92d281ceac53e1`, `5942a2e46b29ddc1dd5d9373a8c419ad`, `62d9b7cff4a09d7c3b7e8bcf9d00d196`
- File Names: `com.onmybeauty.beautycamera.apk`, `decoded_kuwan.dex`
- Registry Keys: N/A (Mobile/Android)
- Network Indicators:
- C2 Domain (Obfuscated): `kamisatu[.]top`
- Secondary Infrastructure: `https://forga.oss-me-east-1.aliyuncs.com/Kuwan`
- Payment API Endpoints: `https://epayment.teleaudio.pl/api2/ta/direct/confirm`, `https://epayment.teleaudio.pl/api2/ta/direct/status/`
- Behavioral Indicators: Unauthorized use of SMS read/write permissions, initiation of POST requests to external financial endpoints immediately after granting permissions, runtime string decryption via XOR.
## Associated Threat Actors
- Joker Campaign (Also known as Bread, Candle, or Cloud Snooper).
## Detection Methods
- Signature-based detection: Hash matching for known malicious files. Signature development using YARA rules targeting the specific XOR key usage or API call sequences.
- Behavioral detection: Monitoring applications that request SMS reading permissions while simultaneously initiating POST requests to unfamiliar or encrypted endpoints, especially those interacting with known premium SMS/payment gateways.
- YARA rules if available: Not provided in the text, but necessary for static analysis matching against obfuscated code routines.
## Mitigation Strategies
- **Prevention measures:** Exercise extreme caution when downloading apps from the Google Play Store, especially those requiring excessive permissions before providing core functionality. Verify developer reputation and user reviews rigorously.
- **Hardening recommendations:** Review all installed applications' granted permissions, specifically revoking SMS read/write access for non-communication applications. Enable Google Play Protect vigilance.
## Related Tools/Techniques
- Other malware families that leverage SMS intercept for unauthorized monetization (e.g., FluBot, or older versions of Joker).
- Techniques involving runtime XOR decryption for string loading.