Joker Malware App Begins New Onslaught On Google Play Store

The Joker malware app, which specializes in billing fraud, has made a return to the Google Play Store. Researchers noticed an uptick in the amount of malicious Android apps that hide Joker malware, which stows away as a trojan in other applications. Joker has been around since 2017, disguising itself within common, legitimate apps like camera apps, games, messengers, photo editors, translators and wallpapers. Once installed, Joker apps silently simulate clicks and intercept SMS messages to subscribe victims to unwanted, paid premium services controlled by the attackers – a type of billing fraud that researchers categorize as “fleeceware.”

The malware also steals SMS messages, contact lists, and device information. In the majority of cases, the victim is in the dark until a mobile bill arrives.

The Joker malware and its associated apps are usually found outside of the official Google Play store, however, they’ve been known to bypass Google’s protections since 2019 too. This is due to the malware developers making small changes to the apps, and so there have been periodic waves of Joker malware infestations inside the official store. This includes two large attacks last year. According to researchers at Zimperium, more than 1,800 Android applications infected with Joker have been removed from the Google Play store in the last four years.

In the latest wave, at least 1,000 new samples have been detected just since September, many of them finding their way into the official marketplace, researchers said.

“Malicious actors have routinely found new and unique ways to get this malware into both official and unofficial app stores,” according to a Zimperium analysis, posted Tuesday. “While they are never long for life in these repositories, the persistence highlights how mobile malware, just like traditional endpoint malware, does not disappear but continues to be modified and advanced in a constant cat-and-mouse game.”

Joker Malware Flowchart. Source: Zimperium

The hackers behind the latest rendition of Joker Malware, which emerged late last year, are taking advantage of legitimate developer techniques to “try and hide the actual intent of the payload from traditional, legacy-based mobile security toolsets,” according to Zimperium — which helps them evade both device-based security and app store protections.

One such method is using Flutter, an app development kit designed by Google that allows developers to craft native apps for mobile, web, and desktop from a single codebase. “Due to the commonality of Flutter, even malicious application code will look legitimate and clean, whereas many scanners are looking for disjointed code with errors or improper assemblies,” explained the researchers.

Researchers also noted that another method is used is the practice of embedding the payload as a .DEX file that can be obfuscated in different ways, such as being encrypted with a number, or hidden inside an image using steganography. Sometimes in the latter case, the image is hosted in legitimate cloud repositories or on a remote command-and-control (C2) server.

Furthermore, the hackers have been using URL shorteners and a combination of native libraries to decrypt an offline payload.

Researchers said that the new samples also take extra precautions to remain hidden after a trojanized app is installed.

“After successful installation, the application infected with Joker will run a scan using Google Play APIs to check the latest version of the app in Google Play Store,” they explained. “If there is no answer, the malware remains silent since it can be running on a dynamic analysis emulator. But if the version found in the store is older than the current version, the local malware payload is executed, infecting the mobile device. If the version in the store is newer than the current one, then the C2s are contacted to download an updated version of the payload.”

“Sadly, the Joker malware is no joke,” Saryu Nayyar, CEO at Gurucul, said via email. “And even more depressing, no dark knight is going to ride in to save users from these malicious apps. Users have to manually clean their devices of this pesky malware. The good news is that it appears the only damage is financial, and likely temporary. Users who have been subscribed to premium mobile services as a result of this malware can request refunds for said services since the affected applications are known.”

Josh Bohls, CEO and founder at Inkscreen, noted earlier in the year that Joker Malware is also a problem for companies, not just individuals.

“These malicious applications can find their way into the enterprise when an infected device is enrolled in a company’s bring-your-own-device (BYOD) program, and suddenly you have a new threat vector,” he said via email. “We hope to see better app review processes by Apple and Google, and that consumer and business buyers continue to educate themselves on how to select appropriate mobile applications.”

Joker Malware Analysis

Note: This analysis of Joker Malware was carried out by CSIS Techblog.

In most of the apps the developers have inserted the Joker Malware initialization component into one or another advertisement framework. The little package of malicious code typically consists of:

• Target country checking via MCC
• Minimum C&C communication — just enough to report the infection and receive the encrypted configuration
• DEX decryption & loading
• A notification listener — when a new SMS message arrives, this listener captures it and sends out a broadcast for the Core (second stage) component to pick up.

Often, an app would contain a so-called “Splash” screen — an activity, which displays the app’s logo, while performing various initialization processes in the background. Some of the Joker apps use such activity for initialization as well.

The Joker Malware employs custom string obfuscation schemes for all of the configuration/payload/communication parsing procedures. The code listing below displays an example of an obfuscated MCC code list, (DEFAULT_COUNTRY_ISO) separated by the underscore symbol.

After the initialization is done, the malware will download an obfuscated and AES-encrypted configuration from the payload distribution C&C server. Joker Malware composes the AES key for the configuration string decryption using yet another string scheme, which would concatenate the app’s package name with MCC code string and shuffle the symbols around in a specific way.

The configuration string above contains the necessary information about the second stage code — the core component of the Joker. Being split by a 3-symbol delimiter, the configuration string above contains (ordered):
1. The URL for the Joker Core DEX file — this file is obfuscated
2. The de-obfuscation “keys” — indexes of the obfuscated read buffer
3. The initialization class name — the class, which implements the initialization method
4. The initialization method name — which method to call upon loading
5. The C&C URL
6. The campaign tag

The Loader downloads the DEX and starts the de-obfuscation routine. The said routine reads the DEX file in a buffer 128 bytes at a time. The de-obfuscation “keys” are the positional indexes for this buffer. For each iteration, the routine reads the bytes of the obfuscated buffer only between these positions and writes them into a file, producing a valid DEX file in the end.

This Joker malware kit stands out as a small and a silent one. It is using as little Java code as possible and thus generates as little footprint as possible. After all of the Loader’s MCC checks and payload loading — the Core component begins its work.

It is designed in a job-scheduler fashion, meaning that it periodically requests new commands from the C&C server. When found, it executes them in strict order and then reports the results, depending on the type of the given task. The below figure is an example of a command (truncated).

When Joker Malware receives such message, it proceeds to open the offer URL, injects the JavaScript commands one by one and waits for an authorization SMS (if any). When the SMS message arrives, the malware extracts the necessary authorization code using case-specific regular expressions. At other times, it simply sends a SMS message to a premium number, with a specific code from the offer page.

Whenever the Joker malware extracts a code from a SMS message — it also reports it to the C&C after the job is complete. Hypothetically, the botnet operator can craft a job, which would result in all incoming SMS messages being stolen.

The final important thing worth mentioning about the Joker Malware is the phone book contact list theft. The core component collects all numbers in the contact list and sends them over to the C&C in an encrypted form:

A total of 12 unique builds of the second stage payload were observed among the 24 infected apps. The version names come from the payload URLs and data inside the sample’s configuration class:


SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories

Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.

Leave a Reply

Your email address will not be published. Required fields are marked *