The Joker: Malware That is Anything But Funny

July 26th · 4 min read

Understand the Joker and how it hurts everyday people.

Android Malware is nothing new, but despite Google's best efforts, the official Google Play Store continues to be a source of threats to everything from sensitive personal information, social media login credentials, and your bank account. The Joker Malware has been around since 2017 and has once again weaseled its way into the Google Play Store, but this time, it goes further by rendering the device useless or stealing information. This Joker is anything but funny.

What does the Joker Malware do?

"Why so serious?" - The Joker (The Dark Knight, 2008)

The Joker Malware is a 'trojan' malware, activated when someone installs an affected app. This malware is packed in with apps in the Google Play Store. Users find an app they'd like to use and install the app onto their mobile devices. Some such apps include those with camera filters, text message enhancers, phone optimizers, fake antivirus programs, and personalization tools for ringtones and phone wallpapers.

After victims of the Joker malware install an infected app from the Google Play Store, the malware was then able to read and send SMS (text) messages to and from the affected device and access the victim's contact lists and device information. Further, the malware also enrolled victims in premium service subscriptions, resulting in several recurring monthly charges that can sometimes be difficult to cancel. The app does exactly what it says it'll do, so the user is none the wiser as the malware begins to wreak havoc.

Clean up your browser and prevent future scams

Protect yourself from phishing & malware, begin with a free scan.

The Joker's Background

"For my whole life, I didn't know if I really existed. But I do, and people are starting to notice." - The Joker (Joker, 2019)

The Joker malware first emerged in 2017. In 2019, Google discovered the malicious apps and removed 24 of them from the Play Store after this malware was discovered on them. By this time, the apps already had more than 472,000 installs. While this action prevented new users from downloading the malicious apps, it did not remove the malicious apps from devices that were already infected.

Bad actors have continued to spread this malware by resubmitting various apps to the app store under different developer accounts, changing just enough code to throw Google off heir tracks. They stay up to date on Google's increasingly sophisticated routines for fighting malicious apps, coming back stronger each time.

The Joker is using much more sophisticated techniques now. This newest technique is one that is well-known, but not yet used by the Joker before now--they're hiding malicious code inside of legitimate applications, such as advertising within the app, and not inside of the app code itself, which allows the malicious apps to get through Google Play's app vetting process.

This time, Google removed more than 1,700 apps submitted to the Play Store over the past three years that had been infected with various versions of the Joker malware. Google described this malware operation as one of the most persistent threats it has dealt with during the past few years.

The Joker malware targets those living in specific countries, which the malware identifies using the affected device's SIM card data. These countries include the United States, Australia, Austria, Belgium, Brazil, China, Cyprus, Egypt, France, Germany, Ghana, Greece, Honduras, India, Indonesia, Ireland, Italy, Kuwait, Malaysia, Myanmar, Netherlands, Norway, Poland, Portugal, Qatar, Republic of Argentina, Serbia, Singapore, Slovenia, Spain, Sweden, Switzerland, Thailand, Turkey, Ukraine, United Arab Emirates, and the United Kingdom.

What Apps Were Affected:

Advocate Wallpaper Age Face Altar Message Antivirus Security – Security Scan Beach Camera Board picture editing Certain Wallpaper Climate SMS Collate Face Scanner Cute Camera Dazzle Wallpaper Declare Message Display Camera Great VPN Humour Camera Ignite Clean Leaf Face Scanner Mini Camera Print Plant scan Rapid Face Scanner Reward Clean Ruddy SMS Soby Camera Spark Wallpaper

How Can I Stay Safe From The Joker Malware?

First and foremost, if you have any of the abovementioned apps installed on your phone, immediately uninstall them. To do this:

Open the Google Play Store app.

  1. Tap Menu. My apps & games.
  2. Tap on the app or game.
  3. Tap Uninstall.

Review your phone bill for any unauthorized subscription purchases. If you see any, contact your phone provider to cancel the subscriptions and let them know that you did not authorize the subscription fees.

Review your phone's apps and delete any that you do not actively use. These apps laid under Google's radar for 3 years before they were identified as malicious. There may very well be other apps that include this or other malware. By uninstalling any unused apps, not only are you making it less likely that an affected app remains on your phone, but it'll also help your phone run more efficiently.

Activate an account monitoring service. With apps, websites, and other services able to access so much of our personal information, the likelihood of your information being involved in a breach is very high. The news headlines are full of reports of data breaches, but only a small number of these breaches are made known to the public. Companies hide breaches every day for fear of the negative attention and loss of business resulting from their breach of customers' trust. Guardio offers account monitoring that can alert you immediately if your account information was shared online or on the dark web for criminals to access so that you know to begin taking action to protect yourself right away.

Clean up your browser and prevent future scams

Protect yourself from phishing & malware, begin with a free scan.

Be the first to know!

Subscribe to our exclusive mailing list and get the freshest stories from the Guardio team