“I am an agent of chaos”, a Joker, played by Heath Ledger said in the Dark Night movie. It seems like this catchphrase has also struck a chord with a clique of cyber-fraudsters behind the eponymous malware type — Joker.


What Is Joker Malware?

Joker malware — a nickname for Bread group of malware — is a malicious code snippet, embedded in Android apps to initiate mobile fraud, either by:

  • Sending SMS messages on user behalf to buy unwanted products/subscriptions or by sending texts to premium numbers.
  • Engaging in toll billing (WAP fraud) — hackers attempt to initiate a payment using the infected device’s connection to make premium charges to the owner’s account.

In both cases, mobile spending happens without user knowledge or consent.

Joker malware has been pestering Google Security specialists since early 2017. By leveraging an array of fraudulent techniques, Joker-infected apps repeatedly escaped Google security algorithms by changing the malware footprint and trying new methods for passing on malicious code.

Since 2017, Google detected and  blocked over 1,700 apps, containing Joker malware. Still, in a 3-month period, Secure-D algorithms have blocked over 60 apps that have been accused of containing Joker malware.


What makes Joker malware a nifty criminal? 

The real challenge with Joker malware is in a state of constant flux, with hackers adapting malicious code to outwit Google’s detection mechanism.

Apart from already using well-known cloaking and data obfuscation mechanisms (aimed at hiding malicious code), the clique behind Joker also uses the “versioning” technique.

In such cases, they initially submit a clean app to the Play Store to sneak inside the ecosystem undetected. After amassing an early user-base, often by the means of YouTube promo videos and ads, the team moves to the ‘scam phase’.

During the app update, they sneak in malicious code into the new app version and often ask users to grant unrelated permissions to the app. For example:

  • Access to camera
  • Wallpaper
  • SMS
  • Call logs
  • Photo editing
  • Location 

In some cases, unsuspecting users have granted applications permission to read their private text exchanges and access other sensitive information, stored on the device. After the initial wait out period, the app auto-downloads malware, by leveraging the given permissions. This is known as a “dropper” attack.

Dropper attacks can go fully unnoticed by Google’s scanning algorithms. This is why Joker malware is hard to detect and curb for good. 

To keep the ploy going for longer, malicious app publishers also leverage fake reviews.

Most of the Joker-infected apps initially had high rankings on Google Play to instill a fake sense of legitimacy into the app, plus conceal genuine negative feedback.


Joker malware still circulates around town

Though Google has been extra vigilant, Joker malware keeps finding its way back to user devices. In some cases, fraudsters are using the “versioning” technique described above to upload slightly remade versions of banned apps to Google Play.

During the past 3 months, the Secure-D lab team found that 30% of malicious apps, previously blocked by our anti-fraud algorithms due to fraudulent background activities are still available or were previously available on Google Play.

Additionally, already called-out apps with Joker malware keep re-emerging outside of Google Play. For instance, we found the “Blue Scanner” app live on an unofficial marketplace:

blue scanner apk


Remember: Downloading mobile apps from unofficial marketplaces or via direct links increases your chances of getting malware.


How not to get duped by Joker malware

As a user, you should always exercise caution when it comes to new app downloads. To avoid getting tricked into downloading a Joker-infected app, stick to the following simple behaviors:

— Carefully review all the requested permissions before downloading. If an app requests any permissions related to SMS, call logs, contacts, be extra vigilant and try to learn why these are needed.

— Review the developer’s profile and quickly check if any negative reviews or media coverage comes up.

— Check news from mobile security vendors such as Secure-D to be in-the-know of all the emerging threats.

Make sure to check below the latest infected apps as reported in Forbes, carrying the Joker malware. If you have either of these apps installed on your phone, remove them immediately

  • All Good PDF Scanner
  • Mint Leaf Message-Your Private Message
  • Unique Keyboard – Fancy Fonts & Free Emoticons
  • Tangram App Lock
  • Direct Messenger
  • Private SMS
  • One Sentence Translator – Multifunctional Translator
  • Style Photo Collage
  • Meticulous Scanner
  • Desire Translate
  • Talent Photo Editor – Blur focus
  • Care Message
  • Part Message
  • Paper Doc Scanner
  • Blue Scanner
  • Hummingbird PDF Converter – Photo to PDF