Joker Trojan: The Bane of Google Play Store

Joker (aka Bread) malware has been identified as one of the most persistent and advanced threats, as per Google’s PHA Family Highlights series. Joker-infected apps usually manage to sneak their way past Google's defenses and reach the Play Store several times.

What was discovered?

Recently, Zscaler security researchers identified 17 Joker-infected applications available on Google Play, which were removed by Google promptly.
  • The malicious applications were listed on Google Play, posing as various productivity and utility apps, such as document scanner, text messaging, language translation, app lock, keyboard, and fonts & emoticons.
  • Within a small timespan, the apps garnered more than 120,000 downloads before being detected as malicious threats.
  • In some groups of the infected apps, researchers found that the final payload was delivered via a direct URL received from the C2 server, single stager payload, or two-stager payload downloads.

Earlier actions against Joker

Google's security team has been seen taking actions against different batches of Joker-infected apps over the past few months.
  • In August, Google had removed Joker malware-embedded six apps, which tout functionalities ranging from text messaging to emoji wallpaper - accounting for nearly 200,000 installs.
  • In all, Google’s Play Protect has detected and removed around 1,700 unique apps infected with Joker malware from the Play Store, since its first discovery in 2017.

Ending notes

Malware threats such as Joker have been targeting and exploiting the Google Play Store platform on a regular basis, and the end-users always have been and will remain the most critical line-of-defense for such threats. Experts advise users to avoid using niche apps, pay close attention to the permission list, especially when it involves sensitive permissions related to call logs, contacts, SMS, location, and more.