Підтримка
Цілодобова підтримка | Правила звернення

Зателефонуйте

Глобальна підтримка:
+7 (495) 789-45-86

Поширені запитання |  Форум |  Бот самопідтримки Telegram

Ваші запити

  • Всі: -
  • Незакриті: -
  • Останій: -

Зателефонуйте

Глобальна підтримка:
+7 (495) 789-45-86

Зв'яжіться з нами Незакриті запити: 

Профіль

Профіль

Android.Joker.531

Добавлен в вирусную базу Dr.Web: 2021-01-27

Описание добавлено:

Description

A trojan application for devices running the Android operating system. It is designed to automatically subscribe users to premiums mobile services. It is spread under the guise of harmless apps and games that appear legitimate, work as intended and do not show any suspicious activity. The trojan has a modular structure, with additional modules downloaded from the Internet. The list of known modifications of the trojan, along with information about indicators of compromise, are available in the link at the end of this description.

Operating routine

Upon launching, Android.Joker.531 opens the link like hxxps://superkeyboard[.]oss-ap-southeast-1[.]aliyuncs[.]com/201028120701/" + versionName + ".txt to download the configuration from the remote server, where versionName is the current version of the trojan application.

An example of the server response:

{"successLimitList":
[{"country":"TH","operatorNumber":"52001|52003|52023","successlimit":10,"operator":"TH_AIS","timeout":3,"flowTy
pe":"0"},
{"country":"TH","operatorNumber":"52099|52004|52000|52088|52025","successlimit":10,"operator":"TH_TRUEMOVE
","timeout":8,"flowType":"1"},
{"country":"TH","operatorNumber":"52018|52005|52047","successlimit":10,"operator":"TH_DTAC","timeout":3,"flowT
ype":"0"},
{"country":"SA","operatorNumber":"42003|42006","successlimit":10,"operator":"SA_MOBILY","timeout":5,"flowType"
:"2"},
{"country":"SA","operatorNumber":"42001","successlimit":10,"operator":"SA_STC","timeout":5,"flowType":"2"},
{"country":"SA","operatorNumber":"42004","successlimit":10,"operator":"SA_ZAIN","timeout":5,"flowType":"2"},
{"country":"SA","operatorNumber":"42005","successlimit":10,"operator":"SA_VIRGIN","timeout":5,"flowType":"2"},
{"country":"AE","operatorNumber":"42403","successlimit":10,"operator":"AE_DU","timeout":5,"flowType":"2"},
{"country":"AE","operatorNumber":"42402|43102|43002","successlimit":10,"operator":"AE_ETISALAT","timeout":5,"fl
owType":"2"},
{"country":"BH","operatorNumber":"42604","successlimit":10,"operator":"BH_STC(VIVA)","timeout":5,"flowType":"2"
},
{"country":"BH","operatorNumber":"42601|42605","successlimit":10,"operator":"BH_Batelco","timeout":5,"flowType":
"2"},
{"country":"BH","operatorNumber":"42602","successlimit":10,"operator":"BH_Zain","timeout":5,"flowType":"2"},
{"country":"PL","operatorNumber":"26007|26098|26006","successlimit":10,"operator":"PL_PLAY","timeout":5,"flowTy
pe":"2"},
{"country":"PL","operatorNumber":"26005|26003","successlimit":10,"operator":"PL_ORANGE","timeout":5,"flowType"
:"2"},
{"country":"PL","operatorNumber":"26001|26011","successlimit":10,"operator":"PL_PLUS","timeout":5,"flowType":"2"
},
{"country":"PL","operatorNumber":"26034|26002|26010","successlimit":10,"operator":"PL_T-Mobile","timeout":5,"flo
wType":"2"}],
"sdkUrl":"hxxp://novasdk[.]oss-cn-beijing[.]aliyuncs.com/newSysSdkplugin007[.]apk",
"keys":["dex","com.novasdk.sdkplugin.NovaTaskController","performTask","java/lang/ClassLoader","getSystemClassL
oader","()Ljava/lang/ClassLoader;","dalvik/system/DexClassLoader","(Ljava/lang/String;Ljava/lang/String;Ljava/lang/
String;Ljava/lang/ClassLoader;)V","loadClass","(Ljava/lang/String;)Ljava/lang/Class;","(Landroid/content/Context;)V"],
"logFlag":"0",
"fbId":"",
"guid":"",
"sdkVersion":"newSysSdkplugin007.apk"}

Using the link from the sdkUrl parameter from the received configuration, the trojan downloads the encrypted payload (Android.Joker.242.origin), which it then decrypts and executes.

Next, Android.Joker.531 requests the permission to work with notifications. If permission is granted by the user, the trojan begins tracking notifications about incoming SMS. When a notification appears, the malware sends a broadcast message with the SEND_APP_NOTIFICATION_ACTION intent, adding android.text and android.title to the extras. This way, Android.Joker.531 tries to intercept incoming confirmation codes (PINs) sent from premium services that the Android.Joker.242.origin module subscribes the victim to. If successful, the module receives the code and completes the subscription.

Moreover, having access to the contents of notifications about incoming SMS not only allows Android.Joker.531 to search for PINs, but also obtain information about all other SMS. As a result, users risk losing money on premium services they did not want and becoming victim to data leaks.

Indicators of compromise

News about the trojan

Рекомендации по лечению


Android

  1. Если мобильное устройство функционирует в штатном режиме, загрузите и установите на него бесплатный антивирусный продукт Dr.Web для Android Light. Выполните полную проверку системы и используйте рекомендации по нейтрализации обнаруженных угроз.
  2. Если мобильное устройство заблокировано троянцем-вымогателем семейства Android.Locker (на экране отображается обвинение в нарушении закона, требование выплаты определенной денежной суммы или иное сообщение, мешающее нормальной работе с устройством), выполните следующие действия:
    • загрузите свой смартфон или планшет в безопасном режиме (в зависимости от версии операционной системы и особенностей конкретного мобильного устройства эта процедура может быть выполнена различными способами; обратитесь за уточнением к инструкции, поставляемой вместе с приобретенным аппаратом, или напрямую к его производителю);
    • после активации безопасного режима установите на зараженное устройство бесплатный антивирусный продукт Dr.Web для Android Light и произведите полную проверку системы, выполнив рекомендации по нейтрализации обнаруженных угроз;
    • выключите устройство и включите его в обычном режиме.

Подробнее о Dr.Web для Android

Демо бесплатно на 14 дней

Выдаётся при установке