Tracking Android/Joker payloads with Medusa, static analysis (and patience)


use http_communications/uri_logger
use encryption/cipher_1
use code_loading/dump_dyndex
use code_loading/load_class
I use URI hooks (http_communications/uri_logger) in Medusa and see the malware calls those URLs. Android/Joker is known to use URLs such as xxx[.]
Bingo! The look4.oss-ap[..] URL is encrypted. The decryption hooks, encryption/cipher_1, with shows the decrypted value.
DexClassLoader called: /data/user/0/com.designemoji.keyboard/files/audience_network.dex
[+] Dumped /data/user/0/com.designemoji.keyboard/files/audience_network.dex to dump_1
loadClass: com.designemoji.keyboard.EnableActivity
PathClassLoader(f,p) called: /data/user/0/com.designemoji.keyboard/cache/nuff
[+] Dumped /data/user/0/com.designemoji.keyboard/cache/nuff to dump_2
loadClass: seek
DexClassLoader called: /data/user/0/com.designemoji.keyboard/files/seek
[+] Dumped /data/user/0/com.designemoji.keyboard/files/seek to dump_3
DexClassLoader called: /data/user/0/com.designemoji.keyboard/files/Yang
[+] Dumped /data/user/0/com.designemoji.keyboard/files/Yang to dump_4
loadClass: com.xjuys

Loading nuff (payload 1)

## Cipher
- file=./emojikeyboard.apk-afeb6efad25ed7bf1bc183c19ab5b59ccf799d46e620a5d1257d32669bedff6f/smali/f/a/a/a.smali no= 25 line=b'.method private b()Ljavax/crypto/Cipher;\n'
- file=./emojikeyboard.apk-afeb6efad25ed7bf1bc183c19ab5b59ccf799d46e620a5d1257d32669bedff6f/smali/f/a/a/a.smali no= 63 line=b' invoke-static {v0, v1}, Ljavax/crypto/Cipher;->getInstance(Ljava/lang/String;Ljava/lang/String;)Ljavax/crypto/Cipher;\n'
Code loading the JAR with getClassLoader, then invokes a method named melody()

Static analysis of nuff (payload 1)

Code of payload 1. Download URL for payload 2 — we also see that class cantus, method bustle is called.

Static analysis of payload 2

Payload 2 is loading … Payload 3

Static analysis of payload 3

Connect to remote URL and download payload 4.




Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Mobile and IoT malware researcher. The postings on this account are solely my own opinion and do not represent my employer.