In 2019, Kasperski tipped us off about the CamScanner app, a PDF creator that was a download hit with users and had been contaminated with a Trojan; by mid-March, more than 200 applications infected by malicious code dubbed “Sinbad”, that were available in the official Google Play store, and that they affected 150 million users; As soon as May started, we had another case of apps with malware that had bypassed Google’s security mechanisms.
In July of that year we saw 7 apps that Google Play had removed from its store because they were dedicated to spying on whoever had them on their smartphone without knowing it; and today we find a new malware that with such a name could not be anything else: THE JOKER.
Nuevo malware Joker
Baptized as one of the most essential comic book villains and an authentic icon of popular culture -and also fashionable for the homonymous film that is sweeping awards-, The Joker es un malware that has managed to sneak into many applications within the Google Play Store of Android. The virus acts in 2 phases, and its danger is not only that it steals your data, but it also steals money in real time. This is how it works:
- Idevice infection using malware to integrate into the system
- Identification of the country in which the terminal is located
- Communication Command and Control C&C with hackers to a minimum, just enough to receive encrypted settings
- DEX file decryption -an executable file saved in a format that contains compiled code written for Android- and loads it.
- Theft of SMS messages, data who sends us the message
- Robbery of the list of contacts and data Of the device
- Interaction with advertising websites to withdraw money through the infected mobile
A malware that steals money from you
The worst thing about this second phase is that the malware Joker starts interacting with ad websites, using authorization codes for premium subscriptions of those pages and simulating clicks in banners and others, that is: signing up for advertising services that we have not requested. Through this technique, Joker can be made with up to 6.71 euros a week in countries like Denmark thanks to the automation of the process of interacting with the premium offer of a specific website.
In order to maximize your attacks but minimize your risks of being caught, The Joker only performs in a certain number of countries -Spain included. In fact, many of the apps infected with this malware have an MCC, a list of country mobile codes, to know in which one it is operating. If you use a SIM from one of the countries on the list, phase 2 of the virus is activated, which involves SMS, data and monetary action.
Most of the compromised applications operate in European and Asian countries, and have an additional check to avoid doing so in the United States or Canada, although some apps do infect North American SIM cards.
Countries affected by Joker
- Argentina republic
- United Arab Emirates
- United Kingdom
Where does this malware come from? Although keeping track of it is complicated, the truth is that both the user interface of the Joker C&C panel and some of the comments in its base code They are written in Chinese.
And it is that, after infecting more than 500 thousand mobile phones of the Huawei brand in 2020, the Joker has returned. And despite the security of the Android Store, The Joker has once again managed to sneak into up to 8 applications, some of them with more than 100,000 downloads.
According to the Belgian Police, these eight applications are the ones that have tested positive for having the evil virus:
- Auxiliary Message
- Element Scanner
- Fast Magic SMS
- Free CamScanner
- Go Messages
- Super Message
- Great SMS
Like the previous variants, you can also subscribe users to websites that offer payment services, which means that users risk a big surprise at the end of the month when their bank account or credit card statement get to the mailbox. In the past, some victims have been found paying more than 240 pounds (279 euros) a year for these fraudulent subscriptions.