[Mal Series #11] Quick Tricks to Identify Suspicious Behavior of Android Malware (Joker)
Here is some of my tips to identify the encrypted c2/strings location in malicious for Android Malware, especially for Joker 🤡.
The common encrypted strings found in this kind of malware:
i) Dex related (e.g
ClassLoader) as this will invoke the malicious function of Dex payload from c2.
ii) Java native function (e.g.
iii) c2 url that contains the malicious payload.
Usually the malicious code will create its own background process via
<application>. Why? Check out the 3rd screenshot below.
android:exported=True or more than one intent filter. Why? Check out the 4th screenshot below.
Service/Receiver that called by the suspicious package that leads to the c2 for stager 2
Example of the Joker Android Malware to initiate suspicious background event.
Normally it will went through few packages, until it reaches the malicious package that initiate the suspicious event.
The example below shows the suspicious event initiate from
Flow to initiate the suspicious background event
It can see that the
Main Application tries to import the malicious package
org.mockito.internal.util.reflection.b, a new thread is created
new a() by calling
.start() from the package
OnCreateView redirect to the thread creation.
Runnable object in
org.mockito.internal.util.reflection.a which trigger the background process.
String Decryption Method used by Joker
i) Normal String Manipulation
Here is the example of the decryption code which is normally using string manipulation to hide their main c2 for stager 2:
Other string manipulation method:
You can try to decrypt it :D (Note: Its from a real malware)
ii) AES/ECB and Based64
For this kind of encryption, the malware will store the encrypted strings in
res/values/strings.xml with some random name, in this case is
From there, it is able to trace which function is calling it by using
By tracing the
a() it can see that is is a
AES/ECB decryption function:
i) 1st parameter,
ad_src (str): encrypted text
ii) 2nd paramter,
ad_key (str2): AES key
SecretKeySpec() into your favourite Java editor and run it :D
If it is success, you will get the c2 address as below to continue for the stager 2 analysis.
Here is another example that you could try 🤗.
There are few Joker Malware utilize JNI to hide their c2 but it is not cover in this story now.