Reading Time: 2 minutes

Joker-Malware-top-image

Joker Malware is basically spyware that has continued to find its way on the Google Play Store thanks to different tricks. First, the name “Joker” is taken from one of the C&C domains of earlier found samples.

According to the investigation, this malware penetrates users’ devices via applications. By July 2020, this malware has infected over 1700 applications that are available on Google Play Store.

Joker malware has forced Google Play Store to remove the compromised applications from its platform. But since malware authors keep making small changes in their code, many researchers are still finding apps rigged with this spyware.

It steals personal data such as SMS, contacts, device information, OTPs, and other relevant information. It quietly cooperates with third-party advertisers and registers the user to paid services without their prior approval.

Quick Heal Security Labs researchers found eight applications on Google Play Store infected with the Joker Malware. Google Play Store has removed these applications after Quick Heal Security Labs researchers reported them.

Joker Malware Infected Applications

apps-removed-by-google-play-store

Following are the applications that were found to have Joker malware in them. If you still have any of the below app installed, then we recommend you immediately uninstall them.

  1. Auxiliary Message
  2. Free CamScanner
  3. Element Scanner
  4. Travel Wallpapers
  5. Fast Magic
  6. SMS Super Message
  7. Go Messages
  8. Super SMS

These applications were downloaded almost more than 50,000 times from the Google Play Store. According to the same researcher, this malware is usually spread through scanner applications, wallpaper applications, and message applications.

Joker Malware Working

Let’s take a look at how Joker Malware works through an infected application on your Android phone.

We will be taking a look at the “Element Scanner” App, which is developed by “Obrien Connie” and has a download count of “10K+”.

Step 1: When launched, this app asks for notification access. After that, it also acquires SMS data, contact access, and manages the phone call permission. Thus, it performs as a normal scanner application without any hint of malicious activity to the user.

element-scanner-notifications

Step 2: Behind the curtains, the same application downloads two suspicious payloads. While the first payload belongs to a Bitly short URL link, downloaded from Google Play Store, what comes next as the second payload is the malicious Joker Malware. You can identify it as “h**p://skullali[.]oss-me-east 1[.]aliyuncs.com/realease.mp3”.

first-and-second-payload

Step 3: This second payload releases the .mp3 file, which contains code for notification access, and the onReceive method collects received SMS data.

code-for-notification-and-sms-data

Step 4: Depending on the SIM provider’s country code, it will subscribe to premium services.

subscribe-to-premium-subscription

Few Tips To Stay Safe from Joker and other Malwares

Below, you will find few security tips recommended by various cybersecurity experts to stay safe from Joker and other similar malware.

  • Make sure to download applications from trusted platforms only.
  • Use a Virtual Private Network to encrypt your network traffic.
  • Learn to tell the difference between fake and authentic applications. Look for the verified mark.
  • Never click on suspicious links received via SMS, social media message, or email.
  • Keep the option “install from unknown sources” disabled.
  • Check for unusual data usage.
  • Always stay vigilant when allowing app permission.
  • Pay close attention to the application’s reviews and ratings.
  • Use antivirus apps specially developed for Android OS such as Bitdefender Mobile Security, Norton Mobile Security, McAfee Mobile Security. Some VPN services also offer an antivirus feature.