Discovered by Google in 2017 and dubbed one of the most essential comic book villains and an authentic icon of popular culture, The Joker is a malware that last year managed to sneak 24 applications into the Google Play Store of Android that together had reached more than 500,000 downloads. But just like in the comics, the ‘Joker’ always comes back.
Joker malware is back
Cybersecurity company Zscaler has discovered that up to 17 official Android apps have been tainted with Joker. The virus works in 2 phases, and its danger is not only that it steals your data, but it also steals money in real time. This is how it works:
- Device infection using malware to integrate into the system
- Identification of the country in which the terminal is located
- Command and Control C&C communication with hackers to a minimum, just enough to receive the encrypted configuration
- Decrypting the DEX file – an executable file saved in a format containing compiled code written for Android – and loading it.
- Theft of SMS messages, data of who sends us the message
- Theft of the contact list and device data
- Interaction with advertising websites to get money through the infected mobile
A malware that steals money from you
The worst thing about this second phase is that the Joker malware begins to interact with ad websites, using authorization codes for premium subscriptions of those pages and simulating clicks on banners and so on, that is: pointing us to advertising services that we have not requested.
Through this technique, Joker can earn a certain amount of euros per user per week thanks to the automation of the process of interacting with the premium offer of a specific website.
In order to maximize his attacks but minimize his risks of being caught, The Joker only acts in a certain number of countries – Spain included. In fact, many of the apps infected with this malware have an MCC, a list of country mobile codes, to know in which one it is operating. If you use a SIM from one of the countries on the list, phase 2 of the virus is activated, which involves SMS, data and monetary action.
Most of the compromised applications operate in countries in Europe and Asia, and have an additional check to avoid doing so in the United States or Canada, although some apps do infect North American SIM cards.
Joker infected apps
Where does this malware come from? Although keeping track of it is complicated, the truth is that both the user interface of the Joker C&C panel and some of the comments in its codebase are written in Chinese. Despite the security of the Android Store, The Joker has managed to sneak into 17 other applications, some of them with more than 100,000 downloads, which greatly multiplies the potential rate of affected. If you have one of these apps, delete it immediately:
- All Good PDF Scanner
- Mint Leaf Message-Your Private Message
- Unique Keyboard – Fancy Fonts & Free Emoticons
- Tangram App Lock
- Direct Messenger
- Private SMS
- One Sentence Translator – Multifunctional Translator
- Style Photo Collage
- Meticulous Scanner
- Desire Translate
- Talent Photo Editor – Blur focus
- Care Message
- Part Message
- Paper Doc Scanner
- Blue Scanner
- Hummingbird PDF
- Converter – Photo to PDF