Joker malware is back again. Found hiding inside of seemingly legitimate applications , a new variant of the Joker Dropper and Premium Dialer spyware was discovered by Check Point’s researchers in the Google Play Store. The new ,updated Joker malware can download additional malware to the device, which in turn subscribes the victim to a number of premium services without their consent.

Google has subsequently removed 11 apps from the Play Store infected with the notorious Joker malware. The applications include include, com.relax.relaxation.androidsms, com.cheery.message.sendsms (two different instances), com.peason.lovinglovemessage,, com.hmvoice.friendsms, com.file.recovefiles, com.LPlocker.lockapps, com.remindme.alram and


Last year also Joker malware's presence was seen in 37 countries, with India as one of the affected countries. Google found out about the presence of the Joker malware in 24 apps available for download on the Play Store and as a corrective measure, it had removed these apps for the Play Store.

The researchers have said that with small changes to its code the Joker malware to get past the Play store’s security and vetting barriers. This time along the Joker malware has adopted an old technique from the conventional PC threat landscape to avoid detection by Google. The newly modified Joker virus uses two main components to subscribe, app users to premium services. These components are: Notification Listener service and dynamic dex file loaded from the C&C server.


What is Joker malware?

Joker is a type of malware for Android. Reportedly, the malware steals money from a user’s account by signing them up for premium subscriptions. It starts by silently simulating interaction with an advertisement without the user knowing and then even steals the victim’s SMS messages, which might contain OTP to authenticate payments.

Which means, with the access to their SMS inbox, the hacker could be stealing money without the users knowing anything about it, unless they check their account statement.

This strategy works by automating the necessary interaction with the premium offer’s webpage, entering the operator’s offer code, then waiting for a SMS message with a confirmation code and extracting it using regular expressions. Finally, the Joker submits the extracted code to the offer’s webpage, in order to authorize the premium subscription.

Posted By: Tushar Kumar Laleria