#privacy: “Joker” trojan signs users up for premium subscriptions

A new Android trojan dubbed “Joker” has been discovered with malware dropper and spyware capabilities in 24 Google Play Store apps.

In a blog post, researcher Aleksejs Kuprins from CSIS Security Group described how he had observed the Joker on Google Play. It was detected in 24 apps with over 472,000 installs in total.

It is designed to deliver a second stage component, which simulates user interaction on ad sites to harvest a victim’s device information, contact list and text messages. The interaction with the advertisement websites “includes simulation of clicks and entering of the authorization codes for premium service subscriptions.”

“This strategy works by automating the necessary interaction with the premium offer’s webpage, entering the operator’s offer code, then waiting for a SMS message with a confirmation code and extracting it using regular expressions. Finally, the Joker submits the extracted code to the offer’s webpage, in order to authorize the premium subscription.”

Android users from a specific list of countries are being targeted by the Joker trojan, including Australia, United Kingdom, France, Germany and Ireland. Most of the infected apps contain a list of Mobile Country Codes (MCCs). The victim also has to be using a SIM from one of the 37 countries in order to receive the second stage payload.

“Furthermore, most of the discovered apps have an additional check, which will make sure that the payload won’t execute when running within the US or Canada. The UI of C&C panel and some of the bot’s code comments are written in Chinese, which could be a hint in terms of geographical attribution.”

The operator of the campaign also send commands and code to be executed via JavaScript-to-Java callbacks, a technique used as an additional layer of protection against static analysis.

Whilst researchers at CSIS Security Group were analysing the trojan, Google removed all Joker-infected apps from the Play Store.

By removing it before being notified by the researchers shows that Google Play have malware and protection that is built-in, whereby Google’s security researchers can identify and remove undetected malware.

“We recommend paying close attention to the permission list in the apps that you install on your Android device,” Kuprins said.

“Obviously, there usually isn’t a clear description of why a certain app needs a particular permission, which means that whenever you are downloading any app — you are still relying on your gut feeling to some extent.”


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.