New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


Malicious Android App Poses as QR Scanner

Researchers uncovered a new wave of Android malware “Joker” in a campaign which posed as a QR scanner app to target Android users. Joker malware carries functionalities of both Spyware and Trojan capabilities, and it is quite sophisticated—remaining undetected through traditional malware analysis methods. The malware was initially found on the Google play store where the attacker published a seemingly legitimate app that posed as a “Free QR Scanner” uploaded with the developer name “Marcelo Bruce.” This variant was identified through a lead from a Tweet, and the app was present in the Google Play Store until July 05, 2021. The app was actually an updated version of Joker that downloads additional malware to the infected device and subscribes to premium services without the device user’s knowledge. Joker malware authors keep modifying the application to evade the Google Play protect detection—those changes included changing the execution methods, and using different payload retrieving techniques. Attackers adapted the traditional evasion technique of Dynamic Code Loading (DCL) and reflection that helps attackers to drop malicious files on the victim’s device at run time. Once the file gets installed and launched by the victim, the malicious app establishes a connection to the Command-and-Control server and then drops a trojan. According to the Cyble report, “The malware initiates malicious behavior from the application subclass, QR.barcode.scanner.scanner app. This class is executed first when the user starts the application.” During the infection process, researchers observed that the attackers using a class called “Ferry” that has the capability of reading notifications received by the victim’s device including text messages, and cancel them without user knowledge. “The application has several Wireless Application Protocol (WAP) subscription URLs for its billing service. WAP billing is a payment method for purchasing content from sites, with the charges being directly added to the mobile phone bill. Using this billing service, attackers can target countries including the U.S., the U.K., India, Thailand, and Vietnam.” These subscriptions charge fees on a daily, weekly, or monthly basis, thereby allowing attackers to gain monetary benefits. Joker malware eventually steals text messages, device information, contact details and is also capable of stealing money from the victim’s bank account.

Analyst Notes

To mitigate this harmful app and other, users should be wary of installing new free apps on Android devices, even if the app comes from the Google Play store. Install mobile anti-virus and keep the anti-virus software updated to detect and remove malicious software. Keep devices and applications updated to the latest versions. Use strong passwords and enable two-factor authentication to protect online banking, email, and other high-value accounts that attackers frequently target. Download and install software only from trusted sites and official app stores, and then only if the app has been around for at least a few months. Verify the privileges and permissions requested by apps before granting them access, and be wary of apps that ask for permissions that don’t make sense—for example, a QR code reader app should not need access to text messages or location services.
Source Article: