[Mal Series #11] Quick Tricks to Identify Suspicious Behavior of Android Malware (Joker)

Here is some of my tips to identify the encrypted c2/strings location in malicious for Android Malware, especially for Joker 🤡.

The common encrypted strings found in this kind of malware:
i) Dex related (e.g dalvik, system, DexClassLoader, ClassLoader) as this will invoke the malicious function of Dex payload from c2.
ii) Java native function (e.g. Java, Lang) related
iii) c2 url that contains the malicious payload.

Usually the malicious code will create its own background process via
i)Main intent.
ii)android:name= inside <application>. Why? Check out the 3rd screenshot below.
iii)<receiver> or <service> with android:exported=True or more than one intent filter. Why? Check out the 4th screenshot below.

Service/Receiver that called by the suspicious package that leads to the c2 for stager 2

<serivce> tag
<receiver> tag
android:name within application
android:exported within receiver/service

Example of the Joker Android Malware to initiate suspicious background event.

Normally it will went through few packages, until it reaches the malicious package that initiate the suspicious event.

The example below shows the suspicious event initiate from Main Intent.

Flow to initiate the suspicious background event

It can see that the Main Application tries to import the malicious package org.mockito.internal.util.reflection.b

From org.mockito.internal.util.reflection.b, a new thread is created new a() by calling .start() from the package org.mockito.internal.util.reflection.a

OnCreateView redirect to the thread creation.

Runnable object in org.mockito.internal.util.reflection.a which trigger the background process.

Scrambled strings there are c2 and Java Native related function

String Decryption Method used by Joker

i) Normal String Manipulation

Here is the example of the decryption code which is normally using string manipulation to hide their main c2 for stager 2:

Other string manipulation method:

You can try to decrypt it :D (Note: Its from a real malware)

ii) AES/ECB and Based64

For this kind of encryption, the malware will store the encrypted strings in res/values/strings.xml with some random name, in this case is ad_key, ad_show and ad_src .

From there, it is able to trace which function is calling it by using Jadxtext search.

Here is the function!!

By tracing the a() it can see that is is a AES/ECB decryption function:
i) 1st parameter, ad_src (str): encrypted text
ii) 2nd paramter, ad_key (str2): AES key

Full Decryption Function

Copy a() and SecretKeySpec() into your favourite Java editor and run it :D

Create AES Key based on the 2nd parameter in a()

If it is success, you will get the c2 address as below to continue for the stager 2 analysis.

c2 for stager 2

Here is another example that you could try 🤗.

There are few Joker Malware utilize JNI to hide their c2 but it is not cover in this story now.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store