Description
A trojan application for devices running the Android operating system. It is designed to automatically subscribe users to premiums mobile services. It is spread under the guise of harmless apps and games that appear legitimate, work as intended and do not show any suspicious activity. The trojan has a modular structure, with additional modules downloaded from the Internet. The list of known modifications of the trojan, along with information about indicators of compromise, are available in the link at the end of this description.
Operating routine
Upon launching, Android.Joker.531 opens the link like hxxps://superkeyboard[.]oss-ap-southeast-1[.]aliyuncs[.]com/201028120701/" + versionName + ".txt to download the configuration from the remote server, where versionName is the current version of the trojan application.
An example of the server response:
{"successLimitList":
[{"country":"TH","operatorNumber":"52001|52003|52023","successlimit":10,"operator":"TH_AIS","timeout":3,"flowTy
pe":"0"},
{"country":"TH","operatorNumber":"52099|52004|52000|52088|52025","successlimit":10,"operator":"TH_TRUEMOVE
","timeout":8,"flowType":"1"},
{"country":"TH","operatorNumber":"52018|52005|52047","successlimit":10,"operator":"TH_DTAC","timeout":3,"flowT
ype":"0"},
{"country":"SA","operatorNumber":"42003|42006","successlimit":10,"operator":"SA_MOBILY","timeout":5,"flowType"
:"2"},
{"country":"SA","operatorNumber":"42001","successlimit":10,"operator":"SA_STC","timeout":5,"flowType":"2"},
{"country":"SA","operatorNumber":"42004","successlimit":10,"operator":"SA_ZAIN","timeout":5,"flowType":"2"},
{"country":"SA","operatorNumber":"42005","successlimit":10,"operator":"SA_VIRGIN","timeout":5,"flowType":"2"},
{"country":"AE","operatorNumber":"42403","successlimit":10,"operator":"AE_DU","timeout":5,"flowType":"2"},
{"country":"AE","operatorNumber":"42402|43102|43002","successlimit":10,"operator":"AE_ETISALAT","timeout":5,"fl
owType":"2"},
{"country":"BH","operatorNumber":"42604","successlimit":10,"operator":"BH_STC(VIVA)","timeout":5,"flowType":"2"
},
{"country":"BH","operatorNumber":"42601|42605","successlimit":10,"operator":"BH_Batelco","timeout":5,"flowType":
"2"},
{"country":"BH","operatorNumber":"42602","successlimit":10,"operator":"BH_Zain","timeout":5,"flowType":"2"},
{"country":"PL","operatorNumber":"26007|26098|26006","successlimit":10,"operator":"PL_PLAY","timeout":5,"flowTy
pe":"2"},
{"country":"PL","operatorNumber":"26005|26003","successlimit":10,"operator":"PL_ORANGE","timeout":5,"flowType"
:"2"},
{"country":"PL","operatorNumber":"26001|26011","successlimit":10,"operator":"PL_PLUS","timeout":5,"flowType":"2"
},
{"country":"PL","operatorNumber":"26034|26002|26010","successlimit":10,"operator":"PL_T-Mobile","timeout":5,"flo
wType":"2"}],
"sdkUrl":"hxxp://novasdk[.]oss-cn-beijing[.]aliyuncs.com/newSysSdkplugin007[.]apk",
"keys":["dex","com.novasdk.sdkplugin.NovaTaskController","performTask","java/lang/ClassLoader","getSystemClassL
oader","()Ljava/lang/ClassLoader;","dalvik/system/DexClassLoader","(Ljava/lang/String;Ljava/lang/String;Ljava/lang/
String;Ljava/lang/ClassLoader;)V","loadClass","(Ljava/lang/String;)Ljava/lang/Class;","(Landroid/content/Context;)V"],
"logFlag":"0",
"fbId":"",
"guid":"",
"sdkVersion":"newSysSdkplugin007.apk"}
Using the link from the sdkUrl parameter from the received configuration, the trojan downloads the encrypted payload (Android.Joker.242.origin), which it then decrypts and executes.
Next, Android.Joker.531 requests the permission to work with notifications. If permission is granted by the user, the trojan begins tracking notifications about incoming SMS. When a notification appears, the malware sends a broadcast message with the SEND_APP_NOTIFICATION_ACTION intent, adding android.text and android.title to the extras. This way, Android.Joker.531 tries to intercept incoming confirmation codes (PINs) sent from premium services that the Android.Joker.242.origin module subscribes the victim to. If successful, the module receives the code and completes the subscription.
Moreover, having access to the contents of notifications about incoming SMS not only allows Android.Joker.531 to search for PINs, but also obtain information about all other SMS. As a result, users risk losing money on premium services they did not want and becoming victim to data leaks.