Joker Billing Fraud Malware Found in 11 Apps On Google Play Store

Joker Billing Fraud Malware Found in 11 Apps On Google Play Store

Researchers have detected a number of apps on the Google Play Store that contain the Joker malware. The apps were discovered following an extensive investigation by Zscaler’s ThreatLabz.

According to the researchers, a total of 11 apps were discovered that were regularly uploaded to the App Store. The researchers discovered that these apps had around 30,000 installs in total.

Joker is a prominent malware family that focuses on stealing sensitive information from Android users, such as SMS messages and credentials.

When a malicious app is installed on a phone, it can be used to carry out financial fraud. For instance, Joker can be used to covertly send text messages to premium numbers or sign up victims for wireless application protocol services to generate income for its operators. Joker also tries to hide all the notifications that appear on the Android alert system to keep its activities undetected.

The latest set of mobile applications that have been identified as potentially dangerous are “Translate Free,” “Free PDF Converter,” “Free Affluent Message,” and “Delux Keyboard.”

Over the past couple of months, 50 Joker payloads have been spotted in Android apps, mostly targeting various app categories.

The researchers stated that Joker operators are constantly changing their methods to avoid security protocols and Google Play’s vetting processes.

“Despite public awareness of this particular malware, it keeps finding its way into Google’s official application market by employing changes in its code, execution methods, or payload-retrieving techniques,” the researchers say.

Joker’s method is similar to how other malware operators deploy Trojans: by using a URL shortener service to extract payloads.

“Unlike the previous campaign where the payloads were retrieved from the Alibaba Cloud, in this campaign we saw the Joker-infected apps download the mediator payload with URL shortener services like TinyURL,,, or to hide the known cloud service URLs serving stage payloads,” ThreatLabz says.

The old and new variants of Joker were both detected in recent months. In both cases, the attackers used a URL shortener to download and execute payloads. Some samples were only installed if there were no other apps installed that contained the same malicious code.

“From the listed apps categories and developer names we assume that these are again Joker-related apps that can be used to assess the infected devices,” the team noted.

According to ThreatLabz, the Joker malware is still very prevalent and is constantly updated with new attack techniques. The company also noted that the malware’s authors can easily bypass security controls by uploading their payloads to app repositories.

Google takes malicious app reports very seriously and swiftly removed the fake apps.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.