Menu Close

The Joker Returns! Joker Trojans target the Android ‘Ecosystem’!

Share This Post

Share on facebook
Share on linkedin
Share on twitter
Share on email

Sept. saw dozens of Joker malware variants attacking Google Play & 3rd-party app stores!

More variations of the Joker Android malware are appearing in Google Play as well as 3rd-party app stores, in a trend that points to a specific targeting of the Android mobile platform.

64 New Variants

Researchers at Zscaler have discovered 17 different samples of Joker being regularly uploaded to Google Play during Sept. These have represented 120,000 downloads, the firm commented.

Zimperium analysts explained that they are finding malicious applications on user devices daily, mainly arriving through 3rd-party stores, side-loaded applications & malicious websites that trick users into downloading & installing apps.

Together, they have identified 64 new variants of Joker during Sept. alone.


The Joker malware has been about since 2017, & it’s a mobile trojan that carries out a type of billing fraud that researchers categorise the malware as “fleeceware”. The Joker apps advertise themselves as legitimate apps (e.g. games, wallpapers, messengers, translators & photo editors).

Once installed, they simulate clicks & intercept SMS messages to subscribe victims to unwanted, paid premium services. The apps also steal SMS messages, contact lists & device information.

Google Play

Malicious Joker apps are usually found outside of the official Google Play store, as Zimperium explained, but Joker apps have continued to ‘outfox’ Google Play’s protections since 2019 too. That is mostly because the malware’s author keeps making small changes to its attack methods.

“Joker keeps finding its way into Google’s official application market by employing changes in its code, execution methods or payload-retrieving techniques,” observed researchers with Zscaler, in a recent blog. The 17 apps they flagged in Google Play have been removed, they further added.

DEX file

Joker’s main function is carried out by loading a DEX file, comments a technical analysis from Zimperium. DEX files are executable files saved in a format that contains compiled code written for Android. Multiple DEX files are typically zipped into a single .APK package, which serves as a final Android application file for most programs.

In Joker’s case, an application, when installed, connects to a URL to receive a payload DEX file, which is “almost the same among all the Jokers, except that some use a POST request while others use a GET request,” explains Zimperium.


“The Joker trojans pose a higher risk to Android users as the user interface is designed to look very normal & covertly perform the malicious activity,” according to Zimperium researchers. “The trojan displays the screen…with a progress bar & ‘Loading data…’ but is meanwhile connecting to the first-stage URL & downloading the payload.”

Joker apps also use ‘code-injection’ techniques to hide among commonly used package names like org.junit.internal, or com.unity3d.player.UnityProvider, Zimperium analysts noted.

“The purpose of this is to make it harder for the malware analyst to spot the malicious code, as 3rd-party libraries usually contain a lot of code & the presence of additional obfuscation can make the task of spotting the injected classes even harder, they explained in a blog posting on Mon. “Furthermore, using legit package names defeats naïve blacklisting attempts.”

AES Encryption

Recent variants showed some new tricks, such as the use of AES encryption, & code injection into Android’s “content provider” function.

“In an attempt to hide the interesting strings related to the maliciousness of Jokers, the trojan retrieves the encrypted strings from resources (/resources/values/strings.xml) which is decrypted using ‘AES/ECB,’” described Zimperium researchers.

“The decryption mechanism in Jokers is usually a plain AES or DES encryption that has evolved in an attempt to not raise suspicion with the encrypted strings by obfuscating them.”


The new variants also insert code into functions of the content provider, which is an Android component used to handle databases and information through functions like query() & delete(), researchers outlined.

It is obvious that Joker continues to be a problem for Android users.

“Every day, Zimperium’s researchers find malware installed on user devices,” the firm concluded. “Malware that is not supposed to be there, but that is. The samples reported in this blog post are just a subset of them – the tip of the iceberg.”

Virtual Conference November 2020


More To Explore

Community Area


Home Workouts


spaghetti Bolognese