Tuesday, April 22, 2025
HomeAndroidJoker Malware Targets Android Users to steal SMS Messages and Contact Lists...

Joker Malware Targets Android Users to steal SMS Messages and Contact Lists – 17 Apps Removed from Google Play

Published on

SIEM as a Service

Follow Us on Google News

Joker is one of the most prominent malware families that continuously target the Android devices, it’s main activity is to stimulate clicks on SMS message and subscribe for unwanted paid premium services.

The malware found again in Google play by employing changes in its code, execution methods, or payload-retrieving techniques.

Joker Malware in Google Play

Security researchers from the Zscaler ThreatLabZ research team identified regular upload of malware-infected files onto the Google Play store.

- Advertisement - Google News

This prompted us to evaluate how Joker is so successful at getting around the Google Play vetting process. We identified 17 different samples regularly uploaded to Google Play in September 2020. There were a total of around 120,000 downloads for the identified malicious apps, reads Zscaler blog post.

Here is the list of affected apps;

  • All Good PDF Scanner
  • Mint Leaf Message-Your Private Message
  • Unique Keyboard – Fancy Fonts & Free Emoticons
  • Tangram App Lock
  • Direct Messenger
  • Private SMS
  • One Sentence Translator – Multifunctional Translator
  • Style Photo Collage
  • Meticulous Scanner
  • Desire Translate
  • Talent Photo Editor – Blur focus
  • Care Message
  • Part Message
  • Paper Doc Scanner
  • Blue Scanner
  • Hummingbird PDF Converter – Photo to PDF
  • All Good PDF Scanner

The malware steals users’ money by subscribing them to paid subscriptions without their consent. It stimulates interaction with ads and then steals victims’ messages including OTP to authenticate payments.

Researchers observed three different infection scenarios

Scenario 1: The malicious has obfuscated C&C URL embedded in the app for direct download, once installed the malicious app contacts the C&C server for download.

Scenario 2: The malicious apps have stager payload added, the job of this stager payload is to simply retrieve the final payload URL from the code, download and execute it.

Scenario 3: Infected apps have two stager payloads to download the final payload. the Google Play infected app downloads the stage one payload, which downloads the stage two payload, which finally loads the end Joker payload.

With all the scenarios the final payload downloaded is the Joker malware and it uses DES encryption to execute the C&C activities. It is always recommended to check out the permissions of the applications that you are installing.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Infostealer Attacks Surge 84% Weekly Through Phishing Emails

The volume of infostealer malware distributed through phishing emails has surged by 84% week-on-week...

North Korean IT Workers Use Real-Time Deepfakes to Infiltrate Organizations Through Remote Jobs

A division of Palo Alto Networks, have revealed a sophisticated scheme by North Korean...

New Phishing Technique Hides Weaponized HTML Files Within SVG Images

Cybersecurity experts have observed an alarming increase in the use of SVG (Scalable Vector...

Detecting And Blocking DNS Tunneling Techniques Using Network Analytics

DNS tunneling is a covert technique that cybercriminals use to bypass traditional network security...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Infostealer Attacks Surge 84% Weekly Through Phishing Emails

The volume of infostealer malware distributed through phishing emails has surged by 84% week-on-week...

North Korean IT Workers Use Real-Time Deepfakes to Infiltrate Organizations Through Remote Jobs

A division of Palo Alto Networks, have revealed a sophisticated scheme by North Korean...

Akira Ransomware Launches New Cyberattacks Using Stolen Credentials and Public Tools

The Akira ransomware group has intensified its operations, targeting over 350 organizations and claiming...