Joker billing fraud malware found in Google Play Store

The Android malware circumvented security controls by using short URL tricks.
Written by Charlie Osborne, Contributing Writer

Malicious Android apps harboring the Joker malware have been discovered in the Google Play Store. 

On Tuesday, cybersecurity researchers from Zscaler's ThreatLabz said that a total of 11 apps were recently discovered and found to be "regularly uploaded" to the official app repository, accounting for approximately 30,000 installs between them. 

The Joker malware family is a well-known variant that focuses on compromising Android devices. Joker is designed to spy on its victims, steal information, harvest contact lists, and monitor SMS messaging. 

When malicious apps containing Joker land on a handset, they may be used to conduct financial fraud, such as by covertly sending text messages to premium numbers or by signing up victims to wireless application protocol (WAP) services, earning their operators a slice of the proceeds. 

Joker also abuses Android alert systems by asking for permission to read all notifications. If granted by the user, this allows the malware to hide notifications relating to fraudulent service sign-ups. 

The latest set of offending mobile applications include "Translate Free," "PDF Converter Scanner," "Free Affluent Message," and "delux Keyboard." 

Overall, over 50 Joker payloads have been detected in Android apps in the past two-and-a-half months, with utilities, health, and device personalization among the main app categories targeted. 


According to the researchers, Joker operators are constantly switching up their methods to bypass security mechanisms and Google Play vetting processes. 

"Despite public awareness of this particular malware, it keeps finding its way into Google's official application market by employing changes in its code, execution methods, or payload-retrieving techniques," the researchers say. 

We've seen some malware operators in the past use malicious updates to deploy Trojans on apps that first appeared benign, but in Joker's case, URL shortener services appear to be a firm favorite to retrieve initial payloads. 

"Unlike the previous campaign where the payloads were retrieved from the Alibaba Cloud, in this campaign we saw the Joker-infected apps download the mediator payload with URL shortener services like TinyURL, bit.ly, Rebrand.ly, zws.im or 27url.cn to hide the known cloud service URLs serving stage payloads," ThreatLabz says. 

Both an old and new variant of Joker have been detected in recent months. In the second case, the URL shortener tactic was also used to download and execute second and final-stage payloads. 

A point of interest is that in some samples, the malicious apps will first check for the presence of four other apps that were available in Google Play, and if they are found, the malware will not deploy additional payloads. At the time of writing, two of these apps have been taken down. 

"From the listed apps categories and developer names we assume that these are again Joker-related apps that can be used to assess the infected devices," the team noted.

ThreatLabz says that the prevalence of the Joker malware, the constant evolution of attack tactics, and the number of payloads constantly being uploaded to app repositories reveals that the malware's authors are constantly "succeeding" in bypassing vetting restrictions and security controls. 

However, Google takes malicious app reports seriously and, such as in this case, rapidly removed the offending Joker apps from Google Play. 

In related news this week, Atlas VPN published research on the state of Android security. According to the team, over 60% of Android apps contain vulnerabilities, with an average of 39 bugs per application.

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards