![]() Joker reads this code by observing notification content via the NotificationListenerService component. The OTP code is usually received via SMS. Then it inputs the MSISDN according to the phone number and submits a request to get an OTP by tapping the OTP button. Input the MSISDN (Mobile Subscriber Integrated Services Digital Network)įirst, Joker selects a mobile phone operator.Joker will then proceed with its subscription routine, which typically goes like this: Each string is encrypted with AES + Base64. The code’s components including the sub-package name, class name, method name, and junk code are heavily obfuscated. The additional code injected serves as the dropper. But as the version is updated, the developer gradually adds malicious code. We launched our investigation when we encountered a sample that matched our detection rule for Joker but seems to have a different payload.įor one of these apps ( org.my.favorites.up.keypaper), its early version is non-malicious. Later in our investigation, we found more related malicious apps: (Sound Prank Hair Clipper, Fart, Crack Screen Prank). ![]() We have informed Google and they have since taken down these apps: The following are the app IDs of the new apps associated with Joker. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |