‘Joker’ is back: A malware that Google hates

Prason Pandey
5 min readJun 27, 2021
Photo by Ryan Moulton on Unsplash

He’s back, Joker! No, not the one who appears in the Batman series, but the malware which has become a nightmare for Google.

Since the beginning of Google’s Play Store, Google has battled Hackers who develop and submit malicious apps to the play store. To ensure its users are protected from malicious apps, Google makes massive investments in security. For an app to get published on the Play Store, it must pass Google’s strict approval policy.

As part of Google’s secure app validation process, it uses multiple self-developed advanced malware detection tools to identify if an application is safe for users or not. Although all of these protections are in place, malware may still get through and be published on the Play Store. However, what if certain malware bypasses all the security verifications again and again and again and again.

Some Keywords

For someone who is not tech-savvy, you might be wondering what malware is. Several similar terms will be used in this blog, so let me explain them.


Malware is an umbrella term for several different types of malicious software, such as viruses, ransomware, and spyware. Malware is a term used to refer to software that is developed by cyberattackers with the specific purpose of damaging computer data and systems or of gaining unauthorized access to networks. The user is required to click on a link or open a file to execute malware. Malware may be delivered through email and exploits vulnerabilities in web servers.


A virus is a type of Malware. It attaches its malicious code to clean code and waits for a user or computer to execute it. Virus attacks are the most common kind of malware attack. In the same way as biological viruses, they can spread quickly and widely, causing damage to systems, corrupting files, and preventing users from accessing their computers. Usually, they are contained within executable files.


Like ancient Greek soldiers carried out their attacks from giant horses, this type of malware also hides in or disguises itself as legitimate software. This malware will create backdoors that will allow attackers to access relative ease, breaching security discretely.

What is Joker?

Photo by TETrebbien on Unsplash

Joker is an infamous trojan named after the villain appearing in DC Comics comic books. Joker is the malware that has been a headache for Google’s security team by repeatedly bypassing Google’s strict verification procedures. Joker has been making fun of Google’s security since 2017. Infiltrating SMS, contact lists, and other device information has been the main target of this Malware. In addition to generating revenues for cybercriminals, Joker is also used for advertising products and services fraudulently.

Recently, Researchers at Quick Heal Security Labs have discovered eight apps on the Google Play Store infected with Joker malware. Following the Quick Heal Security Labs report, Google immediately removed all eight apps from Google Play Store.

Fact: Google has removed almost 1800 apps infected with Joker since 2017.

Apps Infected with Joker

Following eight apps were infected with Joker and now removed by Google from its Play Store:

  1. Auxiliary Message
  2. Fast Magic SMS
  3. Free CamScanner
  4. Super Message
  5. Element Scanner
  6. Go Messages
  7. Travel Wallpapers
  8. Super SMS

Working Process of Joker

The app asks the user permission to access the device’s contact list, SMS, Phone Calls, and Notifications at app lunch. In the background, it downloads payloads from the remote server https://aliyuncs.com/ which is nothing but Joker malware.

Source: Quick Heal Security

After downloading Joker Malware, the Application will get the victim’s location using SIM’s country code and subscribe to different paid services based on the victim’s location.

Source: Quick Heal Security Labs


A command and control system (C2) is used to control compromised or hacked devices remotely or host payloads. Hackers can send commands directly to compromised hosts/devices from a command and control server.

Researchers found the following C2 servers during their research:

  • http://buckts.oss-me-east-1.aliyuncs.com
  • http://wter.oss-us-east-1.aliyuncs.com/
  • http://skullali.oss-us-east-1.aliyuncs.com/
  • http://suanleba.oss-us-west-1.aliyuncs.com
  • https://new-sk.oss-ap-southeast-1.aliyuncs.com
  • http://517–1305586011.cos.na-toronto.myqcloud.com/

Recent Joker Attacks

  1. By injecting malicious code inside the Android Manifest file, Joker made its way into the Play Store in 2019 and infected thousands of users.
  2. Joker malware successfully bypassed Google’s defenses multiple times in 2020 to appear in the Google Play Store.
  3. Joker Malware was able to infect 500,000 Huawei Android Users in April 2021.
  4. Joker Malware bypassed Google’s defenses and was detected by Quick Heals Security Labs before a few days.

How dangerous is Joker malware?

There is a lot of malware out there, but Joker is one of the most dangerous on the entire internet. It is notorious for stealing data from Android users. According to cybersecurity researchers, the malware collects personal information such as phone information, SMS, and OTPs.

Most dangerously, it uses OTP to sign you up for unknown paid services.

Source: Quick Heal Security Labs

Tips to Stay Safe

Photo by Franck on Unsplash
  1. Use a trusted antivirus
  2. Read Android’s pop-up messages carefully before granting permission.
  3. Learn how to spot fake Google Play Store applications.
  4. Download apps developed by trusted Developers/Companies only.
  5. Learn more about Joker and analyze the source code if you are a developer or a hacker.
  6. Don’t download modified apps.


Although the apps have been removed from the Google Play Store, if you have any of these installed on your smartphone or no longer use them, I recommend that you uninstall and delete the apps from your device.

This article discusses Joker malware, but thousands of malware programs are as dangerous as Joker. Joker malware is a great example of why we should not blindly trust any application store. There are others thousands of other malware that are actively targeting users for data and money. So think twice before downloading anything to your phone. Stay (SayCure), Stay Curious, Privacy Matters