Geek's Advice

Joker Virus Detected in 24 Google Play Apps

Joker malware is an Android virus that was detected in 24 Google Play Apps in September, 2019. The malicious program is capable of signing the victim up for paid service subscriptions, stealing SMS messages, contacts, list, device info and simulating interaction with advertisements.

The malware was first discovered and described by CSIS security researcher Aleksejs Kuprins. According to the security specialist, the malware has been installed onto various devices over 472,000 times with the help of 24 infected Android apps, all containing Joker malware.

Since the discovery of malicious software, Google Play has removed these 24 apps from the store, however, users who installed the compromised apps MUST remove them from their devices manually to secure their privacy and bank accounts.

Android users who have one of the following apps on their devices must uninstall them IMMEDIATELY to remove Joker malware completely:

• Advocate Wallpaper;
• Age Face;
• Altar Message;
• Antivirus Security – Security Scan;
• Beach Camera;
• Board picture editing;
• Certain Wallpaper;
• Climate SMS;
• Collate Face Scanner;
• Cute Camera;
• Dazzle Wallpaper;
• Declare Message;
• Display Camera;
• Great VPN;
• Humour Camera;
• Ignite Clean;
• Leaf Face Scanner;
• Mini Camera;
• Print Plant scan;
• Rapid Face Scanner;
• Reward Clean;
• Ruddy SMS;
• Soby Camera;
• Spark Wallpaper.

If you have been using one or several of these apps, make sure you remove Joker virus from your Android device completely. Please use the free instructions at the end of this article.

Details on how the Android virus operates

The Joker Android virus lurks in advertisement frameworks used by the above-mentioned applications, delivering an initialization component (Loader) to the victim’s device. The loader is set to carry out the following tasks:

1. Check device user’s country;
2. Communicate with Command & Control server (C&C);
3. Decrypt and load second stage component which comes in a form of a DEX file;
4. Listen to phone notifications and send the required components to the Core Joker malware component.

The first stage: Loader component

Before attacking the Android device, Joker virus checks whether the victim is using a SIM card from one of Mobile Country Codes (MCC). Most of the infected apps targeted Asian and European Union countries, although some of them were set to target victims worldwide.

Interestingly, the vast majority of 24 apps have been configured to check whether the victim is from US or Canada, and terminate the malware in case of positive return.

The Android virus targets a total of 37 countries:

Australia, Austria, Belgium, Brazil, China, Cyprus, Egypt, France, Germany, Ghana, Greece, Honduras, India, Indonesia, Ireland, Italy, Kuwait, Malaysia, Myanmar, Norway, Netherlands, Poland, Portugal, Qatar, Republic of Argentina, Singapore, Serbia, Slovenia, Spain, Sweden, Switzerland, Thailand, Turkey, Ukraine, United Arab Emirates, United States and United Kingdom.

The Loader is set to download the DEX file and deobfuscates it for further use, proceeding to the core malware functionality.

The second stage: Core component

The main part of Joker Android virus is coded to be as little, as functional, and as silent on the compromised device as possible. It is clear that the malware is created by professionals who want and know how to operate silently without being noticed (at least not until the victim notices payments in the bank account).

The malware continuously communicates with the C&C server to receive new tasks and report results.

The main task of Joker is to simulate victim’s clicks on advertisements. As a result, it opens premium offer URLs and injects JavaScript commands, waiting for the authorization SMS to arrive. Since the Android virus contains a phone notification checker, it quickly observes incoming SMS and extracts the required confirmation code to purchase premium services on behalf of the victim.

The malware also steals all text messages from the victim’s phone as well as the whole address book and sends them to the C&C server.

Remove Joker malware and cancel paid subscriptions

We want to stress out that you not only must remove Joker virus by uninstalling the previously mentioned apps from your phone, but you also need to check what premium subscriptions are active on your account currently.

Step 1. Remove infected apps

First of all, you need to check whether you have any of the listed apps on your phone or tablet and remove them in a few simple steps:

1. Open Google Play Store application.
2. Go to Menu > My Apps & Games.
3. Select the compromised game or app.
4. Choose to Uninstall.
5. Repeat with all compromised apps.

Uninstalling the malicious app won’t cancel premium subscriptions.

Step 2. Check and cancel premium subscriptions

1. Take your device and open Google Play Store.
2. Make sure you’re logged into your account. Then go to Menu > Subscriptions.
3. Here, look over the premium subscriptions and make sure they are all authorized by YOU. If you find suspicious one, select it and click Cancel subscription.
4. Follow the instructions on the screen.

Once you complete these steps, Joker virus removal will be complete. Make sure you always check app permissions and download only trustworthy components to your Android device to avoid Android virus infection.

Norbert Webb

Norbert Webb is the head of Geek’s Advice team. He is the chief editor of the website who controls the quality of content published. The man also loves reading cybersecurity news, testing new software and sharing his insights on them. Norbert says that following his passion for information technology was one of the best decisions he has ever made. “I don’t feel like working while I’m doing something I love.” However, the geek has other interests, such as snowboarding and traveling.