Joker spyware

Security experts from Google have discovered a new spyware in 24 Play Store apps that, combined, have more than 472,000 downloads. Researchers have stated that this spyware also has the capabilities of normal malware and appears to have infected certain apps in Google Play with more than 100,000 installations. Cybercriminals are deploying this spyware through the advertisement framework in those compromised apps.

Introduction to Joker  

This spyware secretly collects users’ personal details, like contacts and other address book details, and is aptly named Joker. Joker uses the SMS collection module to confirm the user’s country. All infected apps contain a sophisticated list of mobile country codes, which Joker openly exploits. Cybercriminals are also sending command and control codes that can be executed using a Javascript to keep their spyware alive.

This Joker spyware comes with two components: one that identifies the device location, and another that automatically subscribes users to the premium package offered in the ads by the campaign sponsors. All of Joker’s activities are controlled by a command and control (C&C) server operated by the cybercriminals.

Countries targeted by Joker 

Joker has targeted these 37 countries: Australia, Austria, Belgium, Brazil, China, Cyprus, Egypt, France, Germany, Ghana, Greece, Honduras, India, Indonesia, Ireland, Italy, Kuwait, Malaysia, Myanmar, Netherlands, Norway, Poland, Portugal, Qatar, Republic of Argentina, Serbia, Singapore, Slovenia, Spain, Sweden, Switzerland, Thailand, Turkey, Ukraine, the United Arab Emirates, the United Kingdom, and the United States.

Joker-infected Android apps  

The following applications have been infected by Joker:

1. Antivirus Security – Security Scan, App Lock

2. Dazzle Wallpaper

3. Collate Face Scanner

4. Reward Clean

5. Age Face

6. Altar Message

7. Rapid Face Scanner

8. Picture editing

9. Soby Camera

10. Great VPN

11. Humour Camera

12. Advocate Wallpaper

13. Ruddy SMS Mod

14. Ignite Clean

15. Print Plant scan

16. Leaf Face Scanner

17. Boar

18. Declare Message

19. Display Camera

20. Beach Camera

21. Mini Camera

22. Certain Wallpaper

23. Cute Camera

24. Spark Wallpaper

How to protect your Android devices against Joker 

To simplify things, Google has already identified these 24 apps in the Play Store, confirmed their Joker infection, and removed them from the Play Store. However, this only blocks any future downloads of the infected apps.  

Users that have already installed these apps in their devices will be issued a warning by Google Play, like the one users received for the CamScanner malware. So check your Android device for these apps and remove them before you end up handing over your personal data to Joker.  

For organizations that manage corporate-owned, personally enabled (COPE), choose your own device (CYOD), and bring your own device (BYOD) environments, it’s better to include these 24 apps in the blacklisted or prohibited group of applications and deploy the policy to your managed devices. Blacklisting and whitelisting apps can be carried out using a mobile device management (MDM) or unified endpoint management (UEM) solution.  

Thwart Joker with help from ManageEngine 

If you already have an MDM or UEM solution, start rolling out your new configurations as soon as possible. If not, you can download ManageEngine’s unified endpoint management solution or mobile device management solution to blacklist infected applications and nullify Joker. Both of the above solutions come with a free trial for 30 days and offer a free edition, which will allow you to manage 25 mobile devices completely free.

Do not underestimate Joker; doing so could be lethal to your organization considering the current data protection laws like the GDPR and POPI for Europe and South Africa, along with upcoming laws like the CCPA and LGPD for the USA and Brazil.

  1. Abeerah Hashim

    Weird that despite checks from Google, hackers face no problems in reaching Play Store. Obviously, the widespread use of Android phones makes it extremely difficult to make each and every user aware of the existence of such malicious apps. Perhaps, Google needs to make major changes in their policies to protect Android users.

  2. Balaji

    Nowadays malware authors are frequently abusing Google play and advertisement platforms and use them for dropping a variety of malware. it seems joker target almost all the top leading technologically strong origins. Lack of awareness in Andoird users leads to target a huge number of users. Great analysis.

    • This is where blacklisting and whitelisting can come in handy. If you have got your corporate containers up, your business data should be safe.

  3. Guru

    Another day another stealthy malware on Google Play, before installing non-factory apps users should check application reputation. Downloading these weird, crappy apps should be avoided.

    • Organizations can prefer whitelisting to avoid surprises like this, however for personal devices only proper cyber awareness would help. Or they can look at for warning messages from Google Play Protect.

  4. Mohit

    Joker malware is yet another great example showing how immature are Google Play Store’s security mechanisms, including Google Play Protect, at this moment that even an already detected malware can again sneak into users’ Android devices just by repackaging it into a new form.

    • Google Play Protect is just the first level of protection, proper app security management with the right usage of sandboxes is a permanent solution.

  5. Peter Johnson

    Do you guys have any resources about LGPD?

    • Hey Peter, we are coming with a guide for LGPD Compliance. Please stay tuned.

  6. Mike Walker

    Not all malwares will threaten device security, but they can cause performance hits. Believing the presence of external threats, corporates should employ MDM solutions atleast for their critical machines.