New Wave of Joker Android Malware in the Wild

After a period of lull, the Joker billing fraud malware is back on the Google Play store. Researchers working with mobile security company Zimperium published a report on the new uptick of apps carrying the Joker malware.

The Joker mobile malware is usually classified as fleeceware or billing fraud malware. It piggy-backs inside legitimate applications of all kinds, ranging from photo manipulation apps to mobile games and messaging apps. Once the app is installed, Joker starts quietly execute clicks, without any sort of user permission or consent, and subscribes the user to all sorts of paid premium services that are run and operated by the threat actors behind the malware.

In most cases, the victim has no idea what is going on, as everything is executed silently, and the realization that something is very wrong comes along with the phone bill for the respective month, but by that time it's a little late. Joker can also intercept and steal SMS texts and can scrape contacts and information about the infected device.

As with most mobile malware, you are a lot more likely to run into an app package that carries Joker if you fish for .apk application packages outside the official Google Play store, but there have been enough instances of apps on the official store carrying Joker too. Zimperium stated that over the course of the past four years a total of 1800 applications carrying Joker have been taken down from the Google Play store.

Despite the multiple waves of removals, the bad actors behind Joker keep tweaking and improving the malware and even though malware-infested apps never manage to survive security sweeps for too long, the simple fact that something like Joker keeps coming back shows just how persistent and stubborn the hackers behind it are.

One of the latest tricks that Joker uses to evade detection, both locally on devices and on the Play Store, is dropping the payload inside a .dex file that is obfuscated using either encryption or stored inside an image file using steganography techniques. The cherry on top is that the image file may also be hosted on a remote, legitimate cloud service or even on the command and control servers of the malware.

Joker can also check whether the environment it has landed on is an emulator used for sandboxing and research.

By Zaib
July 14, 2021
Android Malware
English
July 14, 2021
Android Malware

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

Microsoft Warns State-Backed Threat Actors Are Using AI in...

4 days ago

Trojan Al11 Malware Detection & Removal - An Essential...

11 months ago

Pinaview is a Fully-Featured Adware App

10 months ago

"Your iCloud is Being Hacked" and "Your iPhone has Been...

7 months ago

What is Lucky Ransomware?

7 months ago

Related Posts

Android Malware

SmsSpy Android Malware Goes After Japan-based Users

High-profile threat actors have been gradually paying more and more attention to mobile devices. One of the Advanced Persistent Threat (APT) actors specializing in attacks against Android mobile devices is Roaming... Read more

May 12, 2021
Android Malware

TeaBot Android Malware Focuses on Stealing Financial Data

Android malware is becoming a more and more common occurrence since the majority of people are relying on their mobile devices for all kinds of payments, communication, and two-factor authentication. This gives... Read more

May 12, 2021
Computer Security

Flubot Malware Infecting Android Mobile Devices

Owners of Android mobile devices, phones in particular, living in the UK have recently been targeted by a new malware campaign. The malware in question is called Flubut and acts as spyware. Flubot is being... Read more

April 27, 2021
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.