FOR CUSTOMERS

Close

Library
My library

+ Add to library

Search
Search

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

A query form

Call us

+7 (495) 789-45-86

Forum

Your tickets

New ticket

Call us

+7 (495) 789-45-86

Profile

EN

RU CN DE EN ES FR IT JP KZ UZ PL BY
Close
Support services
Scanners
Dr.Web vxCube
Trial
VCI investigations
Virus library
Knowledge base

Technologies

Terminology

Training and education

Myths

News

Android.Joker.531

Added to the Dr.Web virus database: 2021-01-27

Virus description added:

Description

A trojan application for devices running the Android operating system. It is designed to automatically subscribe users to premiums mobile services. It is spread under the guise of harmless apps and games that appear legitimate, work as intended and do not show any suspicious activity. The trojan has a modular structure, with additional modules downloaded from the Internet. The list of known modifications of the trojan, along with information about indicators of compromise, are available in the link at the end of this description.

Operating routine

Upon launching, Android.Joker.531 opens the link like hxxps://superkeyboard[.]oss-ap-southeast-1[.]aliyuncs[.]com/201028120701/" + versionName + ".txt to download the configuration from the remote server, where versionName is the current version of the trojan application.

An example of the server response:

{"successLimitList":
[{"country":"TH","operatorNumber":"52001|52003|52023","successlimit":10,"operator":"TH_AIS","timeout":3,"flowTy
pe":"0"},
{"country":"TH","operatorNumber":"52099|52004|52000|52088|52025","successlimit":10,"operator":"TH_TRUEMOVE
","timeout":8,"flowType":"1"},
{"country":"TH","operatorNumber":"52018|52005|52047","successlimit":10,"operator":"TH_DTAC","timeout":3,"flowT
ype":"0"},
{"country":"SA","operatorNumber":"42003|42006","successlimit":10,"operator":"SA_MOBILY","timeout":5,"flowType"
:"2"},
{"country":"SA","operatorNumber":"42001","successlimit":10,"operator":"SA_STC","timeout":5,"flowType":"2"},
{"country":"SA","operatorNumber":"42004","successlimit":10,"operator":"SA_ZAIN","timeout":5,"flowType":"2"},
{"country":"SA","operatorNumber":"42005","successlimit":10,"operator":"SA_VIRGIN","timeout":5,"flowType":"2"},
{"country":"AE","operatorNumber":"42403","successlimit":10,"operator":"AE_DU","timeout":5,"flowType":"2"},
{"country":"AE","operatorNumber":"42402|43102|43002","successlimit":10,"operator":"AE_ETISALAT","timeout":5,"fl
owType":"2"},
{"country":"BH","operatorNumber":"42604","successlimit":10,"operator":"BH_STC(VIVA)","timeout":5,"flowType":"2"
},
{"country":"BH","operatorNumber":"42601|42605","successlimit":10,"operator":"BH_Batelco","timeout":5,"flowType":
"2"},
{"country":"BH","operatorNumber":"42602","successlimit":10,"operator":"BH_Zain","timeout":5,"flowType":"2"},
{"country":"PL","operatorNumber":"26007|26098|26006","successlimit":10,"operator":"PL_PLAY","timeout":5,"flowTy
pe":"2"},
{"country":"PL","operatorNumber":"26005|26003","successlimit":10,"operator":"PL_ORANGE","timeout":5,"flowType"
:"2"},
{"country":"PL","operatorNumber":"26001|26011","successlimit":10,"operator":"PL_PLUS","timeout":5,"flowType":"2"
},
{"country":"PL","operatorNumber":"26034|26002|26010","successlimit":10,"operator":"PL_T-Mobile","timeout":5,"flo
wType":"2"}],
"sdkUrl":"hxxp://novasdk[.]oss-cn-beijing[.]aliyuncs.com/newSysSdkplugin007[.]apk",
"keys":["dex","com.novasdk.sdkplugin.NovaTaskController","performTask","java/lang/ClassLoader","getSystemClassL
oader","()Ljava/lang/ClassLoader;","dalvik/system/DexClassLoader","(Ljava/lang/String;Ljava/lang/String;Ljava/lang/
String;Ljava/lang/ClassLoader;)V","loadClass","(Ljava/lang/String;)Ljava/lang/Class;","(Landroid/content/Context;)V"],
"logFlag":"0",
"fbId":"",
"guid":"",
"sdkVersion":"newSysSdkplugin007.apk"}

Using the link from the sdkUrl parameter from the received configuration, the trojan downloads the encrypted payload (Android.Joker.242.origin), which it then decrypts and executes.

Next, Android.Joker.531 requests the permission to work with notifications. If permission is granted by the user, the trojan begins tracking notifications about incoming SMS. When a notification appears, the malware sends a broadcast message with the SEND_APP_NOTIFICATION_ACTION intent, adding android.text and android.title to the extras. This way, Android.Joker.531 tries to intercept incoming confirmation codes (PINs) sent from premium services that the Android.Joker.242.origin module subscribes the victim to. If successful, the module receives the code and completes the subscription.

Moreover, having access to the contents of notifications about incoming SMS not only allows Android.Joker.531 to search for PINs, but also obtain information about all other SMS. As a result, users risk losing money on premium services they did not want and becoming victim to data leaks.

Indicators of compromise

News about the trojan

Curing recommendations

Android

  1. If the mobile device is operating normally, download and install Dr.Web for Android Light. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web для Android Light onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

Free trial

14 days

Download now
Get it on Google Play