“Joker”—the malware that signs you up for pricey services—floods Android markets

Enlargeportal gda / Flickr

September has been a busy month for malicious Android apps, with dozens of them from a single malware family alone flooding either Google Play or third-party markets, researchers from security companies said.

Known as Joker, this family of malicious apps has been attacking Android users since late 2016 and more recently has become one of the most common Android threats. Once installed, Joker apps secretly subscribe users to pricey subscription services and can also steal SMS messages, contact lists, and device information. Last July, researchers said they found Joker lurking in 11 seemingly legitimate apps downloaded from Play about 500,000 times.

Late last week, researchers from security firm Zscaler said they found a new batch comprising 17 Joker-tainted apps with 120,000 downloads. The apps were uploaded to Play gradually over the course of September. Security firm Zimperium, meanwhile, reported on Monday that company researchers found 64 new Joker variants in September, most or all of which were seeded in third-party app stores.

And as ZDNet noted, researchers from security firms Pradeo and Anquanke found more Joker outbreaks this month and in July respectively. Anquanke said it had found more than 13,000 samples since it first came to light in December 2016.

“Joker is one of the most prominent malware families that continually targets Android devices,” Zscaler researcher Viral Gandhi wrote in last weeks post. “Despite awareness of this particular malware, it keeps finding its way into Googles official application market by employing changes in its code, execution methods, or payload-retrieving techniques.”

Digital sleight of hand

One of the keys to Jokers success is its roundabout way of attack. The apps are knockoffs of legitimate apps and, when downloaded from Play or a different market, contain no malicious code other than a “dropper.” After a delay of hours or even days, the dropper, which is heavily obfuscated and contains just a few lines of code, downloads a malicious component and drops it into the app.

Zimperium provided a flow chart that captures the four pivot points each Joker sample uses. The malware also employs evasion techniques to disguise download components as benign applications like games, wallpapers, messengers, translators, and photo editors.


The evasion techniques include encoded strings inside the samples where an app is to download a dex, which is an Android-native file that comprises the APK package, possibly along with other dexes. The dexes are disguised as mp3 .css, or .json files. To further hide, Joker uses code injection to hide among legitimate third-party packages—such as org.junit.internal,, or com.unity3d.player.UnityProvider—already installed on the phone.

“The purpose of this is to make it harder for the malware analyst to spot the malicious code, as third-party libraries usually contain a lot of code and the presence of additional obfusRead More – Source