Hidden Presence of Joker in COVID-19/Corona-themed Apps
For a couple of past months, Corona/COVID-19 themed attacks are spreading at a breakneck speed in the cyber space, majorly in the form of Corona-themed Phishing Sites, Delivering RATs via COVID-19 Manuals, Cryptojacking, Malwares and much more. Hence, in order to reach a wider audience for higher infection rate, the threat actors had adopted various strategies such as by embedding malicious codes in the COVID-19/Corona themed apps available on various APK platforms.
This mainly targets the people who are not tech savvy who continues to install any COVID-19 themed apps that they come across- in order to stay well informed about this pandemic time.
Upon deep inspection, various malicious traces (of different Malwares & Adwares) are found for each Corona-Themed apps in their code base which makes the applications to perform various covert functions in the background without user’s knowledge.
One such malicious trace belongs to the infamous JOKER Malware, which was uncovered in the month of September, 2019 by CSIS Security Group, which affected a large number of apps that are hosted on the Play Store. Upon detection, most of the apps in the Play Store had quickly pushed the patch as an update (nearly 17K apps were updated which had 1,00,000+ installs).
Joker is a financial malware that steals money from user’s account by signing up them for premium subscriptions for various services. Joker kick-starts by simulating interaction with advertisements and triggers the payment as it does have the access to SMS (Remember when you grand permission to read your Messages) which contains the OTP for granting permission for premium services from the ads, ultimately emptying your bank accounts.
Recently, while inspecting some of the COVID-19/Corona themed apps from various APK Platforms, it is found that the JOKER is BACK (although a smaller presence is observed).
In order to provide a deeper insight, we are going to discuss the 5 use cases of COVID-19 themed apps which are still being available on the open internet for anyone to download.
CASE -1 : Corona Tracker
On analyzing this app, it is found that this contains only 1 DEX file where the traces of Joker and Konni had been found.
DEX: Dalvik Executable which is a discontinued VM from Android, replaced by ART (Android Runtime) from Lollipop Edition.
KONNI: Infamous RAT used by North Korean Cyber Espionage Group APT-37
Upon further analysis, it is found that the code that matched with JOKER had appeared on October 15th, 2019.
It is also notable that the app contains the code genes of various other apps such as Apple Music, Sex Games for Adults, Line Lite, Snapchat, DarkMode etc which are unrelated to the COVID-19 situation awareness.
Name: Corona Tracker
Size: 2.2 MB
APK: APK Pure
By: Psycho Developers
Location: New Delhi, India
Date: 18th March, 2020
CASE -2 : Corona Virus Status
On analyzing this APK file, Joker’s samples(relatively less) were detected as malicious along with unrelated packages such as Dark Mode, MX Player, Apple Music, Line Lite etc which are unrelated to Corona Situational Awareness.
Name: Corona Virus Status
Size: 3.60 MB
By: Bokyum Kim (Arum Communications)
Date: 25th March, 2020
CASE -3 : Coronavirus Tracker 2020 APK
On analyzing this app, it is found that this contains 3DEX files in which classes.dex is polluted where the traces of Joker, Generic Malware & BearClod Clicker had been found.
BearClod Clicker: Clicker Malware which aims to get a hold of as many devices as possible to generate illegitimate profit. Another closest family of this clicker malware is Haken.
Genreric Malware: Classified under Backdoor/Trojan, initially detected on 3rd April, 2020.
The app contains the code genes of various other apps such as Bible Apps for Kids, North Pole Calls and Videos from Santa, MiFit etc which are unrelated to the COVID-19 situation awareness.
Name: Coronavirus Tracker 2020 APK
Size: 9.58 MB
APK: APK Support
Location: California, US
Date: 3rd February, 2020 (Update)
CASE -4 : Corona Maroc
In this package, we found 161 Gene match with Joker, that contributes a total of 3.74% code match.
The app contains the code genes of various other apps such as MX Player, Dark Mode, Line Lite etc which are unrelated to the COVID-19 situation awareness.
Name: Corona Maroc
Size: 7.17 MB
By: Anas Darai
Location: Khenifra, Mrirt, Morocco
Date: 15th March, 2020 (Update)
CASE -5 : WHO COVID-19 0.6.1 beta
On analyzing this app, it is found that this contains 3DEX files in which classes.dex is polluted where the traces of Joker & BearClod Clicker had been found.
The app also contains the code genes of various other apps such as Super VPN, Mi Home, Bible App for Kids, Chicago Bears etc which are unrelated to the COVID-19 situation awareness.
Name: WHO COVID-19 0.6.1 beta
Size: 9.14 MB
APK: APK Mirror
Location: California, US
Date: 13th April, 2020
There are more Joker-Infested apps floating around different App platforms which still shows the presence of Joker in its codebase.
JOKER- NAME FOR A REASON!
As Joker is the disguised form for Antagonism, this malware exactly mimics the behavior of a clown who can impersonate or blend with the basic nature.
Due to its masquerading abilities and the encryption techniques used such as AES, Blowfish and DES to encrypt the strings, it is difficult for the malware to get detected. Even different keys are used for different classes in order to effectively evade the signatures of known samples.
Hence, there is a high chance of recurring Joker-Infested apps to be on rise with any trending topics with new functions (obviously FUD).
IMPORTANCE OF SANDBOXING OVER VIRUS-TOTAL
During the analysis of above mentioned apps, it is found that some of them are not detectable as ‘malicious’ while running a plain hash check in platform such as VirusTotal. Hence, sandbox analysis is always preferred since it notes the program behavior while execution and can match with any previously detected malicious code from its platform.
That’s why you usually see comments on some of the samples where detection=0.
>Never Store your financial credits on your phone for any Auto-Pay/Renew Subscription.
>Never allow permissions for unknown apps (mainly camera/message access).
>Never install an app from a link received via mail/chat, as it’s always good to trace the source.
>In case if you want to install an app from an untrusted souces, the file to be analyzed using any sandbox such as Joe or Hybrid Analysis in order to know whether any of the app-component had been red-flagged.
Note:- The Article is purely an Individual Research and is not subjected to be used/published anywhere without the Author’s consent.
Care to Donate for Research Purpose?
1E4v8eXjieNhKDWc5Rww84D2TXrqxcjVKZ (only BTC Accepted)