Joker Malware Discovered in Google Play Store
Reading Time: 2 minutes

Joker malware discovered in Google Play Store. Researchers at Zscaler’s ThreatLabz reported on Tuesday about 11 apps were discovered and found to be “regularly uploaded” to the official app repository. These apps have approximately 30,000 installs.

What is Joker Malware?

Joker Malware is a variant of the Joker malware family. It focuses on compromising Android devices, by spying on its victims to steal information, harvest contact lists, and monitor SMS messaging.

How Joker Billing Fraud Malware Works?

Joker Billing Fraud Malware lands on a handset via a malicious app and is used to conduct financial fraud. This is achieved by secretly sending text messages to premium members or signing up victims to Wireless Application Protocol(WAP) services, earning their operators a slice of the proceeds.

Once the malware gains access for permission to read all notifications, it is able to hide notifications related to fraudulent service sign-ups.

Application Affected by the Malware

  • Translate Free
  • PDF Converter Scanner
  • Free Affluent Message
  • Delux Keyboard

The researchers have detected more than 50 joker payloads in Android apps in the last two and half months. It has been targeting apps in categories related to Health & Fitness, Photography, Tools, Personalization, and Communication.

The malware operators are constantly changing tactics to bypass security mechanisms and Google Play vetting processes.

The researchers further added, “Despite public awareness of this particular malware, it keeps finding its way into Google’s official application market by employing changes in its code, execution methods, or payload-retrieving techniques.”

The malware operators have been known to use malicious updates to deploy Trojan to appear harmless. In the case of Joker, the operators have chosen the URL shortener services to retrieve initial payloads.

ThreatLabz in a blog post said, “Unlike the previous campaign where the payloads were retrieved from the Alibaba Cloud, in this campaign we saw the Joker-infected apps download the mediator payload with URL shortener services like TinyURL,,, or to hide the known cloud service URLs serving stage payloads.”

Operators are using both old and new variants of Joker malware, they are also using URL shortener methods to download and execute second and final sage payloads.

The research teams noted, “From the listed apps categories and developer names we assume that these are again Joker-related apps that can be used to assess the infected devices.”

The attackers are successful in executing the Joker malware as they are constantly changing tactics to launch attacks. Google on the other hand takes app security more seriously and has been actively removing the offending Joker apps from Google Play.

Related Articles:

Ransomware Attacks Target Unpatched EOL SonicWall SMA 100 VPN Appliances
Russian Cybersecurity Firms Added To Trade Blacklist By the US Commerce Department
DOJ charges 4 Chinese Nationals with State-Backed Worldwide Hacking Campaign