BreakglassIntelligence
Back to reports
highLoader

Zero Detections: How a Rust-Compiled Joker Variant With ChaCha20 Encryption Achieved Complete AV Evasion Inside an Emoji Wallpaper App

A fake Google signing certificate, a native Rust payload, and 12 more apps that might be compromised

PublishedMarch 12, 2026
Threat Actors:authentication codesProfileAssessment
loaderratc2macoschacha20

Zero out of 64. That's how many antivirus engines on VirusTotal detected the base APK of "Cute Emoji Wallpaper" when we analyzed it. The XAPK container fared barely better: 1 out of 56. This is a Joker/Bread billing fraud trojan -- one of the most prolific Android malware families in existence -- and it's essentially invisible to every major mobile security vendor.

The trick: the malicious payload lives entirely inside a Rust-compiled native library using ChaCha20 encryption. No malicious Java. No DEX-based dynamic loading. No JavaScript payload download. Every detection technique the industry has built for Joker over the past five years looks in the wrong place.

Fresh From the Oven

The APK was re-signed on March 11, 2026 -- today -- with a self-signed certificate claiming to be from "Google Inc., Android." The certificate thumbprint 2489a9056fae8b6659e20e87ef6708cd0f532af1 doesn't match any legitimate Google signing key. Someone took a clean app, injected the Rust payload, re-signed it, and pushed it out within hours.

The package name com.segment.emojicute.wallpaper and developer name "3D HD Moving Live Wallpapers Magic Touch" appear on the Google Play Store. The developer's website, customizemyandroid[.]com, was updated just yesterday (March 10) and is hosted on Hostinger. Cross-promotion JSON from that domain lists 12 additional wallpaper and game apps -- all potentially carrying the same trojan.

Inside the Rust Payload

The native library libbegolay.so (808KB, ARM64) was compiled with the Android NDK's LLVM 20.0.0 toolchain -- on macOS. It contains:

  • A complete ChaCha20 stream cipher implementation (source path: ./wt/c/src/chacha20.rs)
  • ~308KB of encrypted payload data starting at offset 0xC000, with entropy approaching 8.0
  • A JNI bridge exposing two methods: GolayEngine.lay() (decrypt and load) and GolayEngine.vcg() (execute decrypted code)

The execution flow: LauncherActivity -> TornadoApplication initializes -> GolayEngine.lay() decrypts the 308KB payload via ChaCha20 -> GolayEngine.vcg() executes it -> NotificationsService registers to intercept all device notifications.

The Fraud Mechanism

Joker's endgame is always the same: subscribe victims to premium services and intercept the confirmation SMS or push notification before the victim sees it. This variant uses BIND_NOTIFICATION_LISTENER_SERVICE -- a permission that gives it access to every notification on the device, including banking OTPs, 2FA codes, and premium service confirmations.

When a premium subscription confirmation arrives, the malware reads the OTP from the notification, confirms the subscription, and suppresses the notification so the victim never knows.

12 More Apps at Risk

The developer's infrastructure at customizemyandroid[.]com (Hostinger, AS47583, registered since August 2020) serves a cross-promotion JSON listing 12 additional apps. Every wallpaper app from this developer should be treated as potentially compromised until proven otherwise. The domain has been active for over 5 years -- this isn't a throwaway operation.

IOCs

Sample Hashes:

  • b50540e10b04010acedb62e48694af7fa9079c92b11eb396c2ae92b36ad191b1 -- XAPK container
  • 35a47c77d66fc4b86868e5674f7f5c9b93216434a14c58f244e3a94adbb5b0ed -- Base APK (0/64 VT)

Infrastructure:

  • customizemyandroid[.]com -- Developer domain (Hostinger, active since 2020)
  • Package: com.segment.emojicute.wallpaper

Signing Certificate (FAKE):

  • Thumbprint: 2489a9056fae8b6659e20e87ef6708cd0f532af1
  • Subject: "Google Inc., Android" (self-signed, NOT legitimate Google)

Detection Guidance

  1. Hunt for libbegolay.so in installed APKs -- this library name is unique to this variant
  2. Monitor BIND_NOTIFICATION_LISTENER_SERVICE grants -- legitimate wallpaper apps don't need notification access
  3. Block customizemyandroid[.]com at the DNS level
  4. Check for the fake Google signing certificate thumbprint across your mobile fleet
  5. YARA on APK contents: Match the Rust compilation artifacts (chacha20.rs path, GolayEngine JNI class) in native libraries
  6. Enterprise MDM: audit all apps from developer "3D HD Moving Live Wallpapers Magic Touch"
Share