Hidden Presence of Joker in COVID-19/Corona-themed Apps

Rakesh Krishnan
6 min readApr 19, 2020

--

For a couple of past months, Corona/COVID-19 themed attacks are spreading at a breakneck speed in the cyber space, majorly in the form of Corona-themed Phishing Sites, Delivering RATs via COVID-19 Manuals, Cryptojacking, Malwares and much more. Hence, in order to reach a wider audience for higher infection rate, the threat actors had adopted various strategies such as by embedding malicious codes in the COVID-19/Corona themed apps available on various APK platforms.

This mainly targets the people who are not tech savvy who continues to install any COVID-19 themed apps that they come across- in order to stay well informed about this pandemic time.

Upon deep inspection, various malicious traces (of different Malwares & Adwares) are found for each Corona-Themed apps in their code base which makes the applications to perform various covert functions in the background without user’s knowledge.

One such malicious trace belongs to the infamous JOKER Malware, which was uncovered in the month of September, 2019 by CSIS Security Group, which affected a large number of apps that are hosted on the Play Store. Upon detection, most of the apps in the Play Store had quickly pushed the patch as an update (nearly 17K apps were updated which had 1,00,000+ installs).

Joker is a financial malware that steals money from user’s account by signing up them for premium subscriptions for various services. Joker kick-starts by simulating interaction with advertisements and triggers the payment as it does have the access to SMS (Remember when you grand permission to read your Messages) which contains the OTP for granting permission for premium services from the ads, ultimately emptying your bank accounts.

Image Courtesy:- AlixBranwyn (DeviantArt)

Recently, while inspecting some of the COVID-19/Corona themed apps from various APK Platforms, it is found that the JOKER is BACK (although a smaller presence is observed).

In order to provide a deeper insight, we are going to discuss the 5 use cases of COVID-19 themed apps which are still being available on the open internet for anyone to download.

CASE -1 : Corona Tracker

App Store Screenshot

On analyzing this app, it is found that this contains only 1 DEX file where the traces of Joker and Konni had been found.

DEX: Dalvik Executable which is a discontinued VM from Android, replaced by ART (Android Runtime) from Lollipop Edition.

KONNI: Infamous RAT used by North Korean Cyber Espionage Group APT-37

Upon further analysis, it is found that the code that matched with JOKER had appeared on October 15th, 2019.

It is also notable that the app contains the code genes of various other apps such as Apple Music, Sex Games for Adults, Line Lite, Snapchat, DarkMode etc which are unrelated to the COVID-19 situation awareness.

QUICK-GLANCE

URL: https://apkpure.com/corona-tracker/psycho.developers.coronatracker
Name: Corona Tracker
Size: 2.2 MB
APK: APK Pure
By: Psycho Developers
Location: New Delhi, India
Date: 18th March, 2020

IOCs

MD5:7e96a4b8ee64629941a0bb1724130efe
SHA-1:bf4d9757eb3c9ea01fd25930037271fc6a304d88
SHA-256: 2fb47cd63d9c28ca4c3851281ec2d07a073e7b9fdacd470737b5a239fb44e994
Vhash: ab78998e4cba7b48a2dc86afb8be7af9
SSDEEP:49152:sWx8fKkmv5v4qouMpi7eExJ2q+IRz8h5wvewcVlBzpC2GmEe:Cikmv5PouMpi7eyJ2K8hYl1mEe

CASE -2 : Corona Virus Status

App Store Screenshot

On analyzing this APK file, Joker’s samples(relatively less) were detected as malicious along with unrelated packages such as Dark Mode, MX Player, Apple Music, Line Lite etc which are unrelated to Corona Situational Awareness.

URL: https://corona-virus-status.en.uptodown.com/android
Name: Corona Virus Status
Size: 3.60 MB
APK: Uptodown
By: Bokyum Kim (Arum Communications)
Location: Seoul
Date: 25th March, 2020

IOCs

MD5: 8eb569046c85db3ace60cd52898b0e60
SHA-1: fadd63c5abfcb08da26cbc5a9c8559cdcf6bee41
SHA-256: e186043bff4915f92f48dfd420b7a96e5f052e0906bbbd3e3489cb2e333610fd
Vhash: 702e812a9815c8865b5dfb0a13a043e1
SSDEEP:49152:rk31C1Fr30VzMFQTF4+tEjumRNkI1cA8aik0424LMg2wrgrxS:g31wRktMFQR4+tEjXkIObaikf2CXgrxS

CASE -3 : Coronavirus Tracker 2020 APK

App Store Screenshot

On analyzing this app, it is found that this contains 3DEX files in which classes.dex is polluted where the traces of Joker, Generic Malware & BearClod Clicker had been found.

BearClod Clicker: Clicker Malware which aims to get a hold of as many devices as possible to generate illegitimate profit. Another closest family of this clicker malware is Haken.

Genreric Malware: Classified under Backdoor/Trojan, initially detected on 3rd April, 2020.

The app contains the code genes of various other apps such as Bible Apps for Kids, North Pole Calls and Videos from Santa, MiFit etc which are unrelated to the COVID-19 situation awareness.

QUICK-GLANCE

URL: https://apk.support/download-app/com.anteger.corona
Name: Coronavirus Tracker 2020 APK
Size: 9.58 MB
APK: APK Support
By: Google
Location: California, US
Date: 3rd February, 2020 (Update)

IOCs

MD5: 8588943a51c1156897d48ad0148c3b03
SHA-1: 228a170b7b874e15068ae4d8bd32cfcf741708d7
SHA-256: b81099150704ef7972fa1835c489bc4cba84625ea52dcdee07c154b66ea09fb5
Vhash: fe3af8d1512b8c494aba6d8a38cb2ee0
SSDEEP: 196608:xe5qWqg6dz1QS278JBueIsb2JdcdfSBWG+1e+gukx3hfB5M0Z7OhS:Dvg628J0DZo91w9Rfbp5O4

CASE -4 : Corona Maroc

App Store Screenshot

In this package, we found 161 Gene match with Joker, that contributes a total of 3.74% code match.

The app contains the code genes of various other apps such as MX Player, Dark Mode, Line Lite etc which are unrelated to the COVID-19 situation awareness.

QUICK-GLANCE

URL: https://aapks.com/apk/coronamaroc/version/51104413
Name: Corona Maroc
Size: 7.17 MB
APK: AAPKS
By: Anas Darai
Location: Khenifra, Mrirt, Morocco
Date: 15th March, 2020 (Update)

IOCs

MD5: 9deab8226dd8c96b9e925db39cd320c3
SHA-1: 3c74ee3e67212e4f0984c100468f9f69b822aabc
SHA-256: 2727ecc8d5c42e5605dabcebd29526d4742f2e0cded45d91167ec30a6bfdc5d7
Vhash: 9f3ae89ec6e9ad5d16226df29c8d0b2c
SSDEEP: 98304:kvQCtQyEip1FKLikqNVQzt+TYAF9PxVj5OOL4NpEQfU4ZhDLAlBa:kNtZug3QI8AzZVj5rEN1UMhDX

CASE -5 : WHO COVID-19 0.6.1 beta

App Store Screenshot

On analyzing this app, it is found that this contains 3DEX files in which classes.dex is polluted where the traces of Joker & BearClod Clicker had been found.

The app also contains the code genes of various other apps such as Super VPN, Mi Home, Bible App for Kids, Chicago Bears etc which are unrelated to the COVID-19 situation awareness.

QUICK-GLANCE

URL: https://www.apkmirror.com/apk/world-health-organisation/who-covid-19/who-covid-19-0-6-1-release/who-covid-19-0-6-1-android-apk-download
Name: WHO COVID-19 0.6.1 beta
Size: 9.14 MB
APK: APK Mirror
By: Google
Location: California, US
Date: 13th April, 2020

IOCs

MD5: f6487aeebc114391faa97ccbe6a58d2c
SHA-1: 67f8639b60c026344ce93dc43372f17d0c02e7ba
SHA-256: 38c0a4c4750cd7c41de4ece7e1de43aa9045c24b70e7c16c3b280d48e37ae01c
Vhash: 89447095268e0817bd1f9742b3e72d23
SSDEEP: 196608:39zOchUu5Af+hVmyHgkXIApdRqNF+YvtqEOXmyLnUi6E01h:AifnHgSIAr+7OzUi6Ph

There are more Joker-Infested apps floating around different App platforms which still shows the presence of Joker in its codebase.

JOKER- NAME FOR A REASON!

As Joker is the disguised form for Antagonism, this malware exactly mimics the behavior of a clown who can impersonate or blend with the basic nature.

Due to its masquerading abilities and the encryption techniques used such as AES, Blowfish and DES to encrypt the strings, it is difficult for the malware to get detected. Even different keys are used for different classes in order to effectively evade the signatures of known samples.

Hence, there is a high chance of recurring Joker-Infested apps to be on rise with any trending topics with new functions (obviously FUD).

IMPORTANCE OF SANDBOXING OVER VIRUS-TOTAL

During the analysis of above mentioned apps, it is found that some of them are not detectable as ‘malicious’ while running a plain hash check in platform such as VirusTotal. Hence, sandbox analysis is always preferred since it notes the program behavior while execution and can match with any previously detected malicious code from its platform.

That’s why you usually see comments on some of the samples where detection=0.

KEY-INTAKES

>Never Store your financial credits on your phone for any Auto-Pay/Renew Subscription.
>Never allow permissions for unknown apps (mainly camera/message access).
>Never install an app from a link received via mail/chat, as it’s always good to trace the source.
>In case if you want to install an app from an untrusted souces, the file to be analyzed using any sandbox such as Joe or Hybrid Analysis in order to know whether any of the app-component had been red-flagged.

Note:- The Article is purely an Individual Research and is not subjected to be used/published anywhere without the Author’s consent.

Care to Donate for Research Purpose?
1E4v8eXjieNhKDWc5Rww84D2TXrqxcjVKZ (only BTC Accepted)

--

--

Rakesh Krishnan
Rakesh Krishnan

Written by Rakesh Krishnan

Independent Security Researcher and Threat Analyst. Often sheds light on Dark Web. Regular contributor to Infosec Community.