{
	"id": "11a18dcd-5e40-4d8d-9f24-b44d9a72fa41",
	"created_at": "2026-04-06T00:15:11.376642Z",
	"updated_at": "2026-04-10T03:30:32.726602Z",
	"deleted_at": null,
	"sha1_hash": "1d166fb83a4e4c0108cdc2032faeff4c17e1acdd",
	"title": "No Joking Around with JOKER",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1058015,
	"plain_text": "No Joking Around with JOKER\r\nPublished: 2021-05-05 · Archived: 2026-04-05 19:37:33 UTC\r\nThe Joker malware family has been consistently targeting Android users since it was discovered in 2017 and is one of the\r\nmost active malware families on the Google Play Store. It continues to find new tricks and tactics to stay undetected by\r\ndoing small changes in its code or changing the payload download techniques. \r\nThe family name “Joker” was derived from the Command and Control (C2) domain name it used in its early days.  This\r\nmalware attempts to steal SMS messages, contacts from the victim’s device and silently signs up its victims to the premium\r\nservices without their knowledge.\r\nAt K7 Labs, we recently noticed a new Joker malware sample on Google Play Store, which utilizes Android packers like\r\n“Tencent’s Legu” and “ijiami” packers to evade detection.\r\nFigure 1: Malicious Joker Apps from Google Play Store Protected with Packer\r\nIn this blog, we will be analyzing the sample kindledev.nap.ksms which uses Tencent’s Legu Packer to hide its malicious\r\npayload functionality as shown in Figure 2.\r\nhttps://labs.k7computing.com/?p=22199\r\nPage 1 of 6\n\nFigure 2: APK Protected with Tencent’s Legu Packer\r\nTechnical Analysis\r\nOnce launched, at runtime it unpacks the malicious Android Package (APK) and contacts the C2 server to download a\r\nmalicious Dalvik Executable (DEX) file payload as shown in Figure 3, which enables the malware and adds other\r\ncapabilities.\r\nFigure 3: Malicious Payload from C2 Server\r\nThis malicious payload continuously sends POST requests to hxxp[:]//161[.]117[.]46[.]64/svhyqj/mjcxzy for\r\ncommunication as shown in Figure 4.\r\nhttps://labs.k7computing.com/?p=22199\r\nPage 2 of 6\n\nFigure 4:  Encrypted Data sent to C2 in POST\r\nThis Joker Trojan attempts to intercept SMS messages notifications as shown in Figure 5.\r\nFigure 5:  Intercept SMS Messages\r\nThis Trojan also silently signs up the victim for the WAP (Wireless Application Protocol) fraud as shown in Figure 6.\r\nhttps://labs.k7computing.com/?p=22199\r\nPage 3 of 6\n\nFigure 6: WAP Fraud by Joker Trojan\r\nMitigations\r\nUse the official App Store to download the apps\r\nCarefully read the user reviews before installing the apps\r\nEnsure you protect your device and data by using a reputable security product like K7 Mobile Security and keeping\r\nit up-to-date, to scan all the downloaded apps, irrespective of the source\r\nIndicators Of Compromise (IOCs)\r\nInfected Package Name on Google Play\r\nStore\r\nHash Packer\r\nDetection\r\nName\r\ncom.upinklook.kunicam 4a0d873780a7132d1e2b407d9c5db801 ijiami\r\nTrojan (\r\n0057931a1\r\n)\r\ncom.keykeybor.borprem.forpiknovonlines dab94a0370d933a12f1bba217e9b29ad ijiami\r\nTrojan (\r\n0001140e1\r\n)\r\nkindledev.nap.ksms 8e6ef3afeac8aaf94191fa95121244a9\r\nTencent’s\r\nLegu\r\nTrojan (\r\n0001140e1\r\n)\r\ncom.beautifulnature.freshwallpapers 18a9aa9d52d78c2b87ac0b2332e46b03\r\nTencent’s\r\nLegu\r\nTrojan (\r\n0001140e1\r\n)\r\ncom.camerasideas.collagemaker f36aa54257bb4ca184db537293415a4a ijiami Trojan (\r\n0057931a1\r\nhttps://labs.k7computing.com/?p=22199\r\nPage 4 of 6\n\n)\r\ncc.lask.as b3a7042186cb7957726b468bc1024d6b\r\nTencent’s\r\nLegu\r\nTrojan (\r\n0001140e1\r\n)\r\ninksms.beatmessages.messaging ac2f1708ba265b2152aed0c43b7be2ea\r\nTencent’s\r\nLegu\r\nTrojan (\r\n0001140e1\r\n)\r\ncom.translate2021.forall.language bf84acfcd727c8aead7f81d73fc41082\r\nTencent’s\r\nLegu\r\nTrojan (\r\n0001140e1\r\n)\r\ncom.multicamera.coolwending.translator fccf657d5e61d53ceff6943e7263f8d3\r\nTencent’s\r\nLegu\r\nTrojan (\r\n0001140e1\r\n)\r\ncom.alltxt.translate.photo.convert 8668549e97b60bfccfb4082f2bb9fc62\r\nTencent’s\r\nLegu\r\nTrojan (\r\n0001140e1\r\n)\r\ncom.sophisticated.gifmakermax c5eb32e4ff466702fd95429b8a367686\r\nTencent’s\r\nLegu\r\nTrojan (\r\n0001140e1\r\n)\r\neverysearch.artifact f9b089e22514f1824a0e0c0bee4248ce\r\nTencent’s\r\nLegu\r\nTrojan (\r\n0001140e1\r\n)\r\ncom.kong.toouch.ass.iphoea 0f9f4d088a69659a4791ef5d883c0487 ijiami\r\nTrojan (\r\n0057931a1\r\n)\r\nlivepictures.livebackground.lightningwallpaper 652d67cfb68278306e22545c551ac64d\r\nTencent’s\r\nLegu\r\nTrojan (\r\n0001140e1\r\n)\r\ncom.camscanner.docscanner.multidocscanner 8cb23726b1438e734ba3708995ae36c2\r\nTencent’s\r\nLegu\r\nTrojan (\r\n0001140e1\r\n)\r\ncplus.mirzatext.translateapp 33b6a1a6d1d31a63c33666ba6a8be8d3\r\nTencent’s\r\nLegu\r\nTrojan (\r\n0001140e1\r\n)\r\ncom.freecollger.make.photocollage f53560912c64f236bbd71995204b4962\r\nTencent’s\r\nLegu\r\nTrojan (\r\n0001140e1\r\n)\r\nhttps://labs.k7computing.com/?p=22199\r\nPage 5 of 6\n\ncom.wandaretech.flashinterpreter d595f2c5b39728269a531bd018740484\r\nTencent’s\r\nLegu\r\nTrojan (\r\n00579d201\r\n)\r\nPayload URLs\r\nmul4[.oss-ap-southeast-5.aliyuncs[.com\r\nhwayt[.oss-us-east-1.aliyuncs[.com\r\nwansgo[.oss-ap-southeast-5.aliyuncs[.com\r\nselct[.oss-ap-southeast-2.aliyuncs[.com\r\nscanlucky[.oss-us-east-1.aliyuncs[.com\r\nbanca[.oss-us-east-1.aliyuncs[.com\r\nbiggerone[.oss-us-east-1.aliyuncs[.com\r\nlucky-bird[.oss-me-east-1.aliyuncs[.com\r\nlinchen-bucket[.oss-us-east-1.aliyuncs[.com\r\nbreezea[.oss-us-east-1.aliyuncs[.com\r\nfronta[.oss-us-west-1.aliyuncs[.com\r\nwarriorss[.oss-us-west-1.aliyuncs[.com\r\nFinal C2 Servers\r\n161[.117.226.98\r\n161[.117.250.158\r\n161[.117.62.127\r\n161[.117.46.64\r\nSource: https://labs.k7computing.com/?p=22199\r\nhttps://labs.k7computing.com/?p=22199\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://labs.k7computing.com/?p=22199"
	],
	"report_names": [
		"?p=22199"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434511,
	"ts_updated_at": 1775791832,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1d166fb83a4e4c0108cdc2032faeff4c17e1acdd.pdf",
		"text": "https://archive.orkl.eu/1d166fb83a4e4c0108cdc2032faeff4c17e1acdd.txt",
		"img": "https://archive.orkl.eu/1d166fb83a4e4c0108cdc2032faeff4c17e1acdd.jpg"
	}
}