Protégez votre univers

Nos autres ressources

  • free.drweb.fr — utilitaires gratuits, plugins, widgets
  • av-desk.com — service Internet pour les prestataires de services Dr.Web AV-Desk
  • curenet.drweb.com — l'utilitaire de désinfection réseau Dr.Web CureNet!
Fermer

Bibliothèque
Ma bibliothèque

+ Ajouter à la bibliothèque

Contacter-nous !
Support 24/24 | Rules regarding submitting

Nous téléphoner

0 825 300 230

Forum

Vos requêtes

  • Toutes : -
  • Non clôturées : -
  • Dernière : le -

Nous téléphoner

0 825 300 230

Profil

Android.Joker.531

Added to the Dr.Web virus database: 2021-01-27

Virus description added:

Description

A trojan application for devices running the Android operating system. It is designed to automatically subscribe users to premiums mobile services. It is spread under the guise of harmless apps and games that appear legitimate, work as intended and do not show any suspicious activity. The trojan has a modular structure, with additional modules downloaded from the Internet. The list of known modifications of the trojan, along with information about indicators of compromise, are available in the link at the end of this description.

Operating routine

Upon launching, Android.Joker.531 opens the link like hxxps://superkeyboard[.]oss-ap-southeast-1[.]aliyuncs[.]com/201028120701/" + versionName + ".txt to download the configuration from the remote server, where versionName is the current version of the trojan application.

An example of the server response:

{"successLimitList":
[{"country":"TH","operatorNumber":"52001|52003|52023","successlimit":10,"operator":"TH_AIS","timeout":3,"flowTy
pe":"0"},
{"country":"TH","operatorNumber":"52099|52004|52000|52088|52025","successlimit":10,"operator":"TH_TRUEMOVE
","timeout":8,"flowType":"1"},
{"country":"TH","operatorNumber":"52018|52005|52047","successlimit":10,"operator":"TH_DTAC","timeout":3,"flowT
ype":"0"},
{"country":"SA","operatorNumber":"42003|42006","successlimit":10,"operator":"SA_MOBILY","timeout":5,"flowType"
:"2"},
{"country":"SA","operatorNumber":"42001","successlimit":10,"operator":"SA_STC","timeout":5,"flowType":"2"},
{"country":"SA","operatorNumber":"42004","successlimit":10,"operator":"SA_ZAIN","timeout":5,"flowType":"2"},
{"country":"SA","operatorNumber":"42005","successlimit":10,"operator":"SA_VIRGIN","timeout":5,"flowType":"2"},
{"country":"AE","operatorNumber":"42403","successlimit":10,"operator":"AE_DU","timeout":5,"flowType":"2"},
{"country":"AE","operatorNumber":"42402|43102|43002","successlimit":10,"operator":"AE_ETISALAT","timeout":5,"fl
owType":"2"},
{"country":"BH","operatorNumber":"42604","successlimit":10,"operator":"BH_STC(VIVA)","timeout":5,"flowType":"2"
},
{"country":"BH","operatorNumber":"42601|42605","successlimit":10,"operator":"BH_Batelco","timeout":5,"flowType":
"2"},
{"country":"BH","operatorNumber":"42602","successlimit":10,"operator":"BH_Zain","timeout":5,"flowType":"2"},
{"country":"PL","operatorNumber":"26007|26098|26006","successlimit":10,"operator":"PL_PLAY","timeout":5,"flowTy
pe":"2"},
{"country":"PL","operatorNumber":"26005|26003","successlimit":10,"operator":"PL_ORANGE","timeout":5,"flowType"
:"2"},
{"country":"PL","operatorNumber":"26001|26011","successlimit":10,"operator":"PL_PLUS","timeout":5,"flowType":"2"
},
{"country":"PL","operatorNumber":"26034|26002|26010","successlimit":10,"operator":"PL_T-Mobile","timeout":5,"flo
wType":"2"}],
"sdkUrl":"hxxp://novasdk[.]oss-cn-beijing[.]aliyuncs.com/newSysSdkplugin007[.]apk",
"keys":["dex","com.novasdk.sdkplugin.NovaTaskController","performTask","java/lang/ClassLoader","getSystemClassL
oader","()Ljava/lang/ClassLoader;","dalvik/system/DexClassLoader","(Ljava/lang/String;Ljava/lang/String;Ljava/lang/
String;Ljava/lang/ClassLoader;)V","loadClass","(Ljava/lang/String;)Ljava/lang/Class;","(Landroid/content/Context;)V"],
"logFlag":"0",
"fbId":"",
"guid":"",
"sdkVersion":"newSysSdkplugin007.apk"}

Using the link from the sdkUrl parameter from the received configuration, the trojan downloads the encrypted payload (Android.Joker.242.origin), which it then decrypts and executes.

Next, Android.Joker.531 requests the permission to work with notifications. If permission is granted by the user, the trojan begins tracking notifications about incoming SMS. When a notification appears, the malware sends a broadcast message with the SEND_APP_NOTIFICATION_ACTION intent, adding android.text and android.title to the extras. This way, Android.Joker.531 tries to intercept incoming confirmation codes (PINs) sent from premium services that the Android.Joker.242.origin module subscribes the victim to. If successful, the module receives the code and completes the subscription.

Moreover, having access to the contents of notifications about incoming SMS not only allows Android.Joker.531 to search for PINs, but also obtain information about all other SMS. As a result, users risk losing money on premium services they did not want and becoming victim to data leaks.

Indicators of compromise

News about the trojan

Recommandations pour le traitement


Android

  1. Si votre appareil mobile fonctionne correctement, veuillez télécharger et installer sur votre appareil mobile le produit antivirus gratuit Dr.Web для Android Light. Lancez un scan complet et suivez les recommandations sur la neutralisation des menaces détectées.
  2. Si l'appareil mobile est bloqué par le Trojan de la famille Android.Locker (un message sur une violation grave de la loi ou une demande de rançon s’affichent sur l'écran de l'appareil mobile), procédez comme suit :
    • démarrez votre Smartphone ou votre tablette en mode sans échec (si vous ne savez pas comment faire, consultez la documentation de l'appareil mobile ou contactez le fabricant) ;
    • puis téléchargez et installez sur votre appareil contaminé le produit antivirus gratuit Dr.Web для Android Light et lancez un scan complet puis suivez les recommandations sur la neutralisation des menaces détectées ;
    • Débranchez votre appareil et rebranchez-le.

En savoir plus sur Dr.Web pour Android

Editeur russe des solutions antivirus Dr.Web
Expérience dans le développement depuis 1992
Les internautes dans plus de 200 pays utilisent Dr.Web
L'antivirus est fourni en tant que service depuis 2007
Support 24/24

Dr.Web © Doctor Web
2003 — 2021

Doctor Web - éditeur russe des solutions antivirus Dr.Web. Doctor Web développe les produits Dr.Web depuis 1992.

333b, Avenue de Colmar, 67100 Strasbourg