{
	"id": "fdd1611a-10b5-4100-9d21-67e90ad592ba",
	"created_at": "2026-04-06T00:07:18.200322Z",
	"updated_at": "2026-04-10T03:28:02.799419Z",
	"deleted_at": null,
	"sha1_hash": "fe8020278545486db8984facba490e0150c99067",
	"title": "Analysis of Joker — A Spy \u0026 Premium Subscription Bot on GooglePlay",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1353220,
	"plain_text": "Analysis of Joker — A Spy \u0026 Premium Subscription Bot on\r\nGooglePlay\r\nBy Aleksejs Kuprins\r\nPublished: 2019-09-09 · Archived: 2026-04-05 20:32:47 UTC\r\n9 min read\r\nSep 3, 2019\r\nOver the past couple of weeks, we have been observing a new Trojan on GooglePlay. So far, we have detected it\r\nin 24 apps with over 472,000+ installs in total. The malware — going by the name “the Joker” (which was\r\nborrowed from one of the C\u0026C domain names) — delivers a second stage component, which silently simulates\r\nthe interaction with advertisement websites, steals the victim’s SMS messages, the contact list and device info.\r\nThe automated interaction with the advertisement websites includes simulation of clicks and entering of the\r\nauthorization codes for premium service subscriptions. For example, in Denmark, Joker can silently sign the\r\nvictim up for a 50 DKK/week service (roughly ~6,71 EUR). This strategy works by automating the necessary\r\ninteraction with the premium offer’s webpage, entering the operator’s offer code, then waiting for a SMS message\r\nwith a confirmation code and extracting it using regular expressions. Finally, the Joker submits the extracted code\r\nto the offer’s webpage, in order to authorize the premium subscription.\r\nThe Joker malware only attacks targeted countries. Most of the infected apps contain a list of Mobile Country\r\nCodes (MCC) and the victim has to be using a SIM card from one of these countries in order to receive the second\r\nstage payload. The majority of the discovered apps target the EU and Asian countries, however, some apps allow\r\nfor any country to join. Furthermore, most of the discovered apps have an additional check, which will make sure\r\nthat the payload won’t execute when running within the US or Canada. The UI of C\u0026C panel and some of the\r\nbot’s code comments are written in Chinese, which could be a hint in terms of geographical attribution.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/csis-techblog/analysis-of-joker-a-spy-premium-subscription-bot-on-googleplay-9ad24f044451\r\nPage 1 of 9\n\nThe full list of 37 targeted countries includes: Australia, Austria, Belgium, Brazil, China, Cyprus, Egypt, France,\r\nGermany, Ghana, Greece, Honduras, India, Indonesia, Ireland, Italy, Kuwait, Malaysia, Myanmar, Netherlands,\r\nNorway, Poland, Portugal, Qatar, Republic of Argentina, Serbia, Singapore, Slovenia, Spain, Sweden,\r\nSwitzerland, Thailand, Turkey, Ukraine, United Arab Emirates, United Kingdom and United States.\r\nBesides loading the second stage DEX file, the malware also receives dynamic code and commands over HTTP\r\nand runs that code via JavaScript-to-Java callbacks. Such an approach provides an extra layer of protection against\r\nstatic analysis, since a lot of instructions in this case are not hard-coded into the malicious app on GooglePlay.\r\nLoader\r\nIn most of the apps the developers have inserted the Joker initialization component into one or another\r\nadvertisement framework. The little package of malicious code typically consists of:\r\n• Target country checking via MCC\r\n• Minimum C\u0026C communication — just enough to report the infection and receive the encrypted configuration\r\n• DEX decryption \u0026 loading\r\n• A notification listener — when a new SMS message arrives, this listener captures it and sends out a broadcast for\r\nthe Core (second stage) component to pick up.\r\nOften, an app would contain a so-called “Splash” screen — an activity, which displays the app’s logo, while\r\nperforming various initialization processes in the background. Some of the Joker apps use such activity for\r\ninitialization as well.\r\nhttps://medium.com/csis-techblog/analysis-of-joker-a-spy-premium-subscription-bot-on-googleplay-9ad24f044451\r\nPage 2 of 9\n\n310 and 302 are the MCC codes for USA and Canada\r\nThe Joker employs custom string obfuscation schemes for all of the configuration/payload/communication parsing\r\nprocedures. The code listing below displays an example of an obfuscated MCC code list,\r\n(DEFAULT_COUNTRY_ISO) separated by the underscore symbol.\r\nIn this case, a method for de-obfuscation dynamically builds a string “28 Ux0-” and removes it\r\nfrom these strings\r\nAfter the initialization is done, the malware will download an obfuscated and AES-encrypted configuration from\r\nthe payload distribution C\u0026C server. Joker composes the AES key for the configuration string decryption using\r\nyet another string scheme, which would concatenate the app’s package name with MCC code string and shuffle\r\nthe symbols around in a specific way. Eventually, the settings for the second stage retrieval decrypt to a message\r\nof the following format:\r\n#x#https://tb-eu-jet.oss-eu-central-1.aliyuncs.com/s8-all#x#18#x#32#x#com.plane.internal.Entrance#x#i\r\nThe configuration string above contains the necessary information about the second stage code — the core\r\ncomponent of the Joker. Being split by a 3-symbol delimiter, the configuration string above contains (ordered):\r\n1. The URL for the Joker Core DEX file — this file is obfuscated\r\n2. The de-obfuscation “keys” — indexes of the obfuscated read buffer\r\n3. The initialization class name — the class, which implements the initialization method\r\n4. The initialization method name — which method to call upon loading\r\n5. The C\u0026C URL\r\n6. The campaign tag\r\nhttps://medium.com/csis-techblog/analysis-of-joker-a-spy-premium-subscription-bot-on-googleplay-9ad24f044451\r\nPage 3 of 9\n\nThe Loader downloads the DEX and starts the de-obfuscation routine. The said routine reads the DEX file in a\r\nbuffer 128 bytes at a time. The de-obfuscation “keys” are the positional indexes for this buffer. For each iteration,\r\nthe routine reads the bytes of the obfuscated buffer only between these positions and writes them into a file,\r\nproducing a valid DEX file in the end.\r\nCore\r\nThis malware kit stands out as a small and a silent one. It is using as little Java code as possible and thus generates\r\nas little footprint as possible. After all of the Loader’s MCC checks and payload loading — the Core component\r\nbegins its work. It is designed in a job-scheduler fashion, meaning that it periodically requests new commands\r\nfrom the C\u0026C server. When found, it executes them in strict order and then reports the results, depending on the\r\ntype of the given task. The below figure is an example of a command (truncated).\r\nPress enter or click to view image in full size\r\nA job message from Joker’s C\u0026C\r\nWhen Joker receives such message, it proceeds to open the offer URL, injects the JavaScript commands one by\r\none and waits for an authorization SMS (if any). When the SMS message arrives, the malware extracts the\r\nnecessary authorization code using case-specific regular expressions. At other times, it simply sends a SMS\r\nmessage to a premium number, with a specific code from the offer page.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/csis-techblog/analysis-of-joker-a-spy-premium-subscription-bot-on-googleplay-9ad24f044451\r\nPage 4 of 9\n\nSnippet of JavaScript from a premium offer page\r\nThe Joker knows when to send a premium SMS message when it opens a premium offer page and finds an\r\nattribute with value starting with “sms:”.\r\nPress enter or click to view image in full size\r\nJoker builds a SMS to be sent to a premium number, using data from the premium offer webpage\r\nWhenever the malware extracts a code from a SMS message — it also reports it to the C\u0026C after the job is\r\ncomplete. Hypothetically, the botnet operator can craft a job, which would result in all incoming SMS messages\r\nbeing stolen.\r\nJoker’s SMS data exfiltration, encrypted with AES\r\nThe figure above is a sample of the second stage communication with the C\u0026C and it contains the full text of a\r\nstolen test SMS message. It can be decrypted into a JSON object. The clear-text communication can also be\r\nobserved using a debugger.\r\nA portion of decrypted report, containing the stolen SMS message\r\nhttps://medium.com/csis-techblog/analysis-of-joker-a-spy-premium-subscription-bot-on-googleplay-9ad24f044451\r\nPage 5 of 9\n\nThe final important thing worth mentioning about the Joker is the phone book contact list theft. The core\r\ncomponent collects all numbers in the contact list and sends them over to the C\u0026C in an encrypted form:\r\nContact list harvesting\r\nA total of 12 unique builds of the second stage payload were observed among the 24 infected apps. The version\r\nnames come from the payload URLs and data inside the sample’s configuration class:\r\n-s8-release\r\n-s8–5-release\r\n-s8–5-dsp-release\r\n-s8-all\r\n-s9–6-release\r\n-s9–6–3\r\n-s9–3-sendsms\r\n-s9–6–2-release\r\n-Y12-all-no-log\r\n-Y12-no-log\r\n-Y13-all\r\n-Y13-all-v2-no-log\r\nSummary\r\nThe described trojan employs notably stealthy tactics to perform quite malicious activities on GooglePlay, while\r\nhiding within the advertisement frameworks and not exposing too much of its malicious code out in the open. The\r\nearliest occurrence of the Joker in the wild that we can pinpoint comes from DNS metadata, which suggests that\r\nthe Joker malware family has begun its recent campaigns in early June 2019. However, the major version digits in\r\nthe build names give an impression of a slightly longer life cycle, potentially with more campaigns in the past.\r\nGet Aleksejs Kuprins’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nDespite the volume (24 apps) Google seems to be on top of this threat as much as it is possible. Some of the apps\r\ndo rack up 100,000+ installs before they get removed, however, the install number can always be artificial to some\r\ndegree due to the common astroturfing practices. Throughout this investigation, Google has been removing all of\r\nthese apps without any note from us.\r\nhttps://medium.com/csis-techblog/analysis-of-joker-a-spy-premium-subscription-bot-on-googleplay-9ad24f044451\r\nPage 6 of 9\n\nWe recommend paying close attention to the permission list in the apps that you install on your Android device.\r\nObviously, there usually isn’t a clear description of why a certain app needs a particular permission, which means\r\nthat whenever you are downloading any app — you are still relying on your gut feeling to some extent.\r\nIOC\r\nThe first stage (payload distribution) C\u0026C: http://3.122.143[.]26/\r\nMain C\u0026Cs:\r\nhttp://joker2.dolphinsclean[.]com/\r\nhttp://beatleslover[.]com/\r\nhttp://47.254.144[.]154/Second stage binaries (Core):\r\nhttps://s3.amazonaws.com/media.site-group-df[.]com/s8-release\r\nhttps://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/s8–5-release\r\nhttps://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/s8-5-dsp-release\r\nhttps://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/s8-all\r\nhttps://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/s9-3-sendsms\r\nhttps://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/s9–6-release\r\nhttps://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/s9–6–2-release\r\nhttps://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/s9-6-3\r\nhttps://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/Y12-all-no-log\r\nhttps://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/Y12-no-log\r\nhttps://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/Y13-all\r\nhttps://tb-eu-jet.oss-eu-central-1.aliyuncs[.]com/Y13-all-v2-no-logUnpacked second stage of the build\r\nrule android_joker {\r\n strings:\r\n $c = { 52656D6F746520436C6F616B } // Remote Cloak\r\n $cerr = { 6E6574776F726B2069737375653A20747279206C61746572 } // network issue: try later\r\n $net = { 2F6170692F636B776B736C3F6963633D } // /api/ckwksl?icc=\r\n $ip = { 332E3132322E3134332E3236 } // 3.122.143.26\r\n condition:\r\n ($c and $cerr) or $net or $ip\r\n}Infected Apps on GooglePlay:SHA256: b36fbe6b75f00ae835156185ca5d6955cdfbe410d73c3e5653dabbaff260f166\r\nPackage Name: com.with.nofear.myheart\r\nInstalls: 100,000+\r\nLoader Path: com.startapp.android.publish\r\nMCC Config: 262_202_460_268_520_502_424_510_414_232_204_222_272_427_228_214SHA256: 718210a0c411602408\r\nPackage Name: com.certain.icdesktop.wallpaper\r\nInstalls: 100,000+\r\nLoader Path: com.tohsoft.wallpaper.ui.details.basics\r\nMCC Config: unknown_262_202_460_268_520_502_424_510_414_232_204_222_272_427_228_214SHA256: 81d784ee65\r\nPackage Name: com.building.castle.bster\r\nInstalls: 50,000+\r\nLoader Path: com.startapp.android.publish\r\nMCC Config: 620_708_208_427_310_262_202_460_268_520_502_424_510_414_232_204_222_228_272_240_724_404_7\r\nPackage Name: com.futureage.facelook\r\nInstalls: 50,000+\r\nhttps://medium.com/csis-techblog/analysis-of-joker-a-spy-premium-subscription-bot-on-googleplay-9ad24f044451\r\nPage 7 of 9\n\nLoader Path: com.startapp.android.publish\r\nMCC Config: 262_202_460_268_520_502_424_510_414_232_204_222_272_427_228_214SHA256: 1e724a5af76927106e\r\nPackage Name: com.comeback.myside.sms\r\nInstalls: 50,000+\r\nLoader Path: com.blur.blurphoto.view\r\nMCC Config: 242_620_708_208_427_310_262_202_460_268_520_502_424_510_414_232_204_222_228_272_240_724_4\r\nPackage Name: com.sybo.ggp.cam\r\nInstalls: 10,000+\r\nLoader Path: com.startapp.android.publish\r\nMCC Config: 262_202_460_268_520_502_424_510_414_232_204_222_272_427_228_214SHA256: e44f514c7729a6c397\r\nPackage Name: com.declare.smsarr.message\r\nInstalls: 10,000+\r\nLoader Path: com.messages.messenger.chat.listSHA256: 226e9c5ca45facb9b9a36529e09958546c4b351f4b7ae021\r\nPackage Name: com.change.nicephoto\r\nInstalls: 10,000+\r\nLoader Path: com.blur.blurphoto.view.\r\nMCC Config: 242_620_708_208_427_310_262_202_460_268_520_502_424_510_414_232_204_222_228_272_240_724_4\r\nPackage Name: com.rapidface.smart.scanner\r\nInstalls: 10,000+\r\nLoader Path: com.fungo.constellation.common.ball\r\nMCC Config: unknown_262_202_460_268_520_502_424_510_414_232_204_222_272_427_228_214SHA256: 43b36c438a\r\nPackage Name: com.burning.rockn.scan\r\nInstalls: 10,000+\r\nLoader Path: com.startapp.android.publish\r\nMCC Config: 620_708_208_427_310_262_202_460_268_520_502_424_510_414_232_204_222_228_272_240_724_404_7\r\nPackage Name: com.board.picture.editing\r\nInstalls: 10,000+\r\nLoader Path: com.color.black.filter\r\nMCC Config: unknown_460_262_520_202_222_427_232SHA256: 494c8c6155a08ae95a2f1962636911310c98d36f065e81\r\nPackage Name: com.cute.hd4kcam.camera\r\nInstalls: 10,000+\r\nLoader Path: com.facebook.appevents.camera.pics\r\nMCC Config: unknown_262_202_460_268_520_502_424_510_414_232_204_222_272_427_228_214SHA256: a8bf4055a4\r\nPackage Name: com.wallpapers.dazzle.gp\r\nInstalls: 10,000+\r\nLoader Path: com.startapp.android.publish\r\nMCC Config: 262_202_460_268_520_502_424_510_414_232_204_222_272_427_228_214SHA256: befde4166a9cdf2ff7\r\nPackage Name: com.cantwait.ezlife.wallpaper\r\nInstalls: 10,000+\r\nLoader Path: com.startapp.android.publish\r\nMCC Config: 620_708_208_427_310_262_202_460_268_520_502_424_510_414_232_204_222_228_272_240_724_404_7\r\nPackage Name: com.Climate.sms\r\nInstalls: 10,000+\r\nLoader Path: com.color.black.filter\r\nMCC Config: unknown_620_708_208_427_310_262_202_460_268_520_502_424_510_414_232_204_222_228_272_240_7\r\nPackage Name: com.xw.supervpnfree\r\nInstalls: 5,000+\r\nhttps://medium.com/csis-techblog/analysis-of-joker-a-spy-premium-subscription-bot-on-googleplay-9ad24f044451\r\nPage 8 of 9\n\nLoader Path: org.greenrobot.eventbus.util\r\nMCC Config: 242_620_708_208_427_310_262_202_460_268_520_502_424_510_414_232_204_222_228_272_240_724_4\r\nPackage Name: com.vegtable.blif.camera\r\nInstalls: 5,000+\r\nLoader Path: com.startapp.android.publishSHA256: 5405e39dbde78e3b561a6e54f208ce557f04bdbdc363ea644289\r\nPackage Name: com.print.plant.scan\r\nInstalls: 5,000+\r\nLoader Path: com.plantfinder.identification.ui.inner\r\nMCC Config: unknown_262_202_460_268_520_502_424_510_414_232_204_222_272_427_228_214SHA256: 6513589934\r\nPackage Name com.saying.wallpaper.bb\r\nInstalls: 5,000+\r\nLoader Path: com.startapp.android.publish\r\nMCC Config: 262_202_460_268_520_502_424_510_414_232_204_222_272_427_228_214SHA256: 54aba1530d829c71b2\r\nPackage Name: com.hampi.sender\r\nInstalls: 1,000+\r\nLoader Path: com.color.black.filter\r\nMCC Config: unknown_620_708_208_427_310_262_202_460_268_520_502_424_510_414_232_204_222_228_272_240_7\r\nPackage Name: com.Ignite.amino.clean (still up!)\r\nInstalls: 1,000+\r\nLoader Path: com.alc.coolermaster.activity.create\r\nMCC Config: 242_620_708_208_427_310_262_202_460_268_520_502_424_510_414_232_204_222_228_272_240_724_4\r\nPackage Name: com.anti.mysecurity\r\nLoader Path: org.greenrobot.eventbus.util\r\nMCC Config: 242_620_708_208_427_310_262_202_460_268_520_502_424_510_414_232_204_222_228_272_240_724_4\r\nPackage Name: com.hello.sweetangle.horoscope\r\nLoader Path: com.mopub.common.boostSHA256: 0eba66cda54c732645ca69949882097c2f2e69dff917e8834b6636ef00\r\nPackage Name: com.tr.rushphoto\r\nLoader Path: com.mopub.common.boost\r\nSource: https://medium.com/csis-techblog/analysis-of-joker-a-spy-premium-subscription-bot-on-googleplay-9ad24f044451\r\nhttps://medium.com/csis-techblog/analysis-of-joker-a-spy-premium-subscription-bot-on-googleplay-9ad24f044451\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/csis-techblog/analysis-of-joker-a-spy-premium-subscription-bot-on-googleplay-9ad24f044451"
	],
	"report_names": [
		"analysis-of-joker-a-spy-premium-subscription-bot-on-googleplay-9ad24f044451"
	],
	"threat_actors": [
		{
			"id": "1a76ed30-4daf-4817-98ae-87c667364464",
			"created_at": "2022-10-25T16:47:55.891029Z",
			"updated_at": "2026-04-10T02:00:03.646466Z",
			"deleted_at": null,
			"main_name": "IRON LIBERTY",
			"aliases": [
				"ALLANITE ",
				"ATK6 ",
				"BROMINE ",
				"CASTLE ",
				"Crouching Yeti ",
				"DYMALLOY ",
				"Dragonfly ",
				"Energetic Bear / Berserk Bear ",
				"Ghost Blizzard ",
				"TEMP.Isotope ",
				"TG-4192 "
			],
			"source_name": "Secureworks:IRON LIBERTY",
			"tools": [
				"ClientX",
				"Ddex Loader",
				"Havex",
				"Karagany",
				"Loek",
				"MCMD",
				"Sysmain",
				"xfrost"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434038,
	"ts_updated_at": 1775791682,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fe8020278545486db8984facba490e0150c99067.pdf",
		"text": "https://archive.orkl.eu/fe8020278545486db8984facba490e0150c99067.txt",
		"img": "https://archive.orkl.eu/fe8020278545486db8984facba490e0150c99067.jpg"
	}
}