Joker Malware Returns To Android Devices Through Play Store, Google Removed 11 Malicious Apps

Earlier this year, Google published a detailed report on a dangerous Android malware called Joker which the company has been tracking since the year 2017. It appears that the malware is again back on Google Play with a new mask.

Check Point warns that this malware is one of the most sophisticated threats of its kind, and reported that Joker malware has made a comeback to the Google Play Store as a result of a small change in its code which enabled it to get past by the security protections of Android. It has also been reported that Google has removed 11 malicious apps from the its Play Store (under various categories) that have been hosting the malicious malware. If you've any of these apps installed on your device be sure to remove them as soon as possible:


Back in February of this year, Joker infected over 300,000 devices just a month after Google removed nearly 1,700 malicious apps from the Play Store. Joker subscribes the victim to fraudulent services or dials, and texts premium numbers. Users need to track down and cancel those services even after uninstalling the malicious applications.

According to Check Point, Joker has discovered a new place to hide to bypass the security protection of the Google Play Store. Aviran Hazum of Check Point explained that Joker now hides in the manifest file of the infected application. The actor pushed encoded malware payload into metadata fields in the file. It is decoded and loaded when it is on the device of the victim. Joker is now hiding its malicious dex file in the application as Base64 encoded strings.

Every time Joker is caught, Google adds the samples and methods to its watch list which is used to screen Play Store applications for threats. The core functionality of Joker remains the same, but its methods keep changing every time. Although malicious applications are removed from Play Store, Check Point warns that there may be other malicious apps on Google Play Store.

You will not know that your device has been infected, and you will need to keep an eye out for strange billing services that you have not subscribed to. Check Point explained that the malware detects the region where the victim is located, and then determines relevant premium services that can be accessed from that location. Joker registers the victim’s mobile number to the premium service, awaiting verification through SMS. It then reads the code and inserts that code to the verification page for that premium service as it has SMS permissions.

Joker also deletes the messages so the victim will not be alerted. That’s how the victim subscribes to a new service without even knowing that they have subscribed to a new premium service.

Read next: Adware that can't be deleted without damaging the host system found in numerous Android Devices!
Previous Post Next Post