Android App Fraud – Haken Clicker and Joker Premium DialerFebruary 21, 2020
Research by: Ohad Mana, Israel Wernik, Bogdan Melnykov, Aviran Hazum
Check Point researchers have recently discovered a new clicker malware family, along with fresh samples of the Joker malware family in Google Play.
Throughout this publication we present a brief overview of the malicious campaigns, and describe the technical analysis that has been performed around the two families of malware.
‘Haken’ & ‘BearClod’ Clickers:
Clickers, malware that mimics the user and perform ‘clicks’ on ads, are a rising threat in the mobile industry. Recently, UpsteamSystems published a report regarding a clicker dubbed ‘ai.type’ or ‘BearClod’. We have observed an increase in activity and scale of the operation behind this clicker, with 47 new applications that were available on Google Play, and were downloaded more than 78 million times by users.
While monitoring the increased activity of ‘BearClod’, we were able to find another clicker family: ‘Haken’. This campaign has just begun its path in Google Play. With 8 malicious applications, and over 50,000 downloads, the clicker aims to get a hold of as many devices as possible to generate illegitimate profit.
Figure 1 – Haken Clicker Application on Google Play
Figure 2 – Haken Clicker Details from Google Play
Figure 3 – Google Play reviews and comments for Haken Clicker
The first entry point of the Haken clicker is the receiver called ‘BaseReceiver’. This receiver asks for permissions that the backdoored app (in this case, a compass application that actually provides a compass service) does not require to function, for instance,BOOT_COMPLETED which let the backdoored application to run code at device start-up.
Figure 4 – Haken Clicker Permissions
This BaseReceiver loads a native library ‘kagu-lib’ and calls from it a method called ‘startTicks’, which after inspection calls the method ‘clm’ from ‘com/google/android/gms/internal/JHandler’. This class registers two workers and a timer. One worker communicates with the C&C server to download a new configuration and process it, while the other is triggered by the timer, checks for requirements and injects code into the Ad-related Activity classes of well-known Ad-SDK’s like Google’s AdMob and Facebook.
Figure 5 – startTicks function
Figure 6 – Communication with C&C to get configuration
Figure 7 – Processing the configuration
Figure 8 – Injection into Facebook and Google
The clicking functionality is implemented in the code that was injected into the Ad-SDK’s ‘onCreate’ function, in this case, it’s the ‘yzt.sta’ method.
Figure 9 – Calling the injected code
While using ‘MotionEvent’ to mimic user clicks, those functions are called via reflection.
Figure 10 – Clicking on ads received from the Ad-SDK via reflection on MotionEvent’s obtain.
After reporting this threat to Google, all of the affected applications were removed from Google Play, and most of them have already published a new version without the threat.
With the usage of native-code, code injection into Ad-SDKs, and backdoored applications from the official store, Haken has shown clicking capabilities while staying under the radar of Google Play. Even with a relatively low download count of 50,000+, this campaign has shown the ability that malicious actors have to generate revenue from fraudulent advertising campaigns.
‘Joker’ Spyware and Premium Dialer:
The ‘Joker’ malware family, originally discovered in September 2019, is a spyware and premium dialer (subscribes the user to premium services) for Android that was found on Google Play.
In the past few months, Joker keeps reappearing in the Google Play store, a few samples at a time. Tatyana Shishkova (@sh1shk0va), recently posted on twitter a few examples of the Joker malware family reaching Google Play:
We have recently discovered four additional samples of Joker on Google Play, downloaded 130,000+ times
Figure 1 – Joker samples
- Technical Analysis
Joker tries to hide its functionality by modifying the used strings, in this case, Joker utilized a simple XOR cipher with a static key.
Figure 2 – XOR’ed strings and decryption function
Inside the MainActivity’s ‘OnCreate’, the malicious applicationtriggers the malicious process, which then registers a receiver that is used to enable the ‘NotificationListenerService’ service. When a command is received from the loaded module, it then proceeds to run the handler.
Figure 3 – Registration of a receiver
Figure 4 – Notification Listener usage
The handler checks for already downloaded payload, and if present invokes the ‘mas’ method from the payload while using ‘Reflection’, and starts the ‘DirectorAct’ activity.
Figure 5 – Invoke of ‘mas’ function and calling ‘DirectorAct’
‘DirectorAct’ class invokes another method from the payload, ‘chris’. If any exception was raised while processing or the payload was not downloaded already, Joker contacts the C&C to download a new payload.
Figure 6 – Contacting C&C
Let’s take a look inside the ‘mas’ function called from the main activity.
Upon start, the payload reads the operator information from the device and makes sure that the device is not from the US (MMC 310) or Canada (MMC 302).
Figure 7 – Filtering US and Canada
Once all conditions are met, Joker contacts the payload’s C&C server, from which it loads a configuration.
Figure 8 – Loading configuration
The configuration contains a new URL, for another payload to be loaded, and a class name with a method to be executed after downloading.
Figure 9 – handle configuration
Figure 10 – Dex loading
Figure 11 – Payload execution
With access to the notification listener, and the ability to send SMS, the payload listens for incoming SMS and extract the premium service confirmation code (2FA) and sends it to the “Offer Page”, to subscribe the user to that premium service.
But how does the malware subscribe the user to those services in the first place, you might ask. Inside the configuration received from the C&C server, a list of URLs to contact (“Offer pages”) is processed and opened in a hidden webview.
Figure 12 – Opening a hidden webview and contacting the Offer Page
After reporting those applications, Google has removed them from Google Play.
While avoiding the US and Canada, this Joker campaign proves the quick turn-around of experienced malicious actors. Almost every week since its launch, Joker managed to get into the official store and get downloaded into users’ devices.
Stay Protected from Mobile Threats
Check Point SandBlast Mobile is the market-leading Mobile Threat Defense (MTD) solution, providing the widest range of capabilities to help you secure your mobile workforce.
SandBlast Mobile provides protection for all mobile vectors of attack, including the download of malicious applications and applications with malware embedded in them.
Appendix 1 – Haken Clicker IOC’s:
- C&C Servers:
Appendix 2 – BearClod Clicker IOC’s:
- C&C Servers:
Appendix 3 – Joker IOC’s:
- C&C Servers:
- Dropped payload: