Saturday, Dec 03, 2022

Google removes 11 apps from Play store infected with Joker malware; uninstall them now

Researchers have said that with small changes to its code the Joker malware to get past the Play store’s security and vetting barriers.

fake google play store, quick heal, google play store, adware, malicious app, dropper app, 27 malicious apps Google has removed 11 apps from the Play Store infected with the notorious Joker malware.

Late last year we saw the Joker malware surface and spread like wildfire. The latest report from Check Point’s researchers has discovered a new variant of the Joker Dropper and Premium Dialer spyware in the Google Play Store. These were found hiding inside of seemingly legitimate applications. This new updated Joker malware can download additional malware to the device, which in turn subscribes the victim to a number of premium services without their consent.

Meantime, Google has removed 11 apps from the Play Store infected with the notorious Joker malware. The applications include include, com.relax.relaxation.androidsms, com.cheery.message.sendsms (two different instances), com.peason.lovinglovemessage,, com.hmvoice.friendsms, com.file.recovefiles, com.LPlocker.lockapps, com.remindme.alram and

Joker malware: Everything you need to know

The researchers have said that with small changes to its code the Joker malware to get past the Play store’s security and vetting barriers. This time along the Joker malware has adopted an old technique from the conventional PC threat landscape to avoid detection by Google. The newly modified Joker virus uses two main components to subscribe, app users to premium services. These components are: Notification Listener service and dynamic dex file loaded from the C&C server.

To minimize the Joker’s code, the developer hid the code by dynamically loading it onto a dex file, while at the same time, ensuring that it is able to completely load when triggered. The code inside of the dex file is encoded as Base64 encoded strings, that start decoding and loading as soon as the victim opens the affected apps.

Subscriber Only Stories
UPSC Essentials| Weekly news express with MCQs : Project GIB, Remittances...Premium
Delhi Confidential: Why CJI Chandrachud says children should be taught as...Premium
Shaped by war: Ukraine artist to showcase work at Kochi-Muziris BiennalePremium
Most drones crossing border originate from Pak Rangers outposts: AgenciesPremium

ALSO READ | What is Joker malware that affected apps on Google Play store?

The original Joker malware communicated with the C&C, and then downloaded the dynamic dex file, which was loaded as casses.dex. However, the new modified version of the code is embedded in a different zone, with the classes.dex file loading a new payload. The malware is triggered by creating a new object that communicates with the C&C.

Also Read: Google removes over 1,700 apps affected by Joker malware from Play Store


“The new method is much more complex compared to the process of the original Joker malware. It requires for one .dex file to read a manifest file and then start decoding the payload. After the payload is decoded, it then loads a new .dex file and then infects the device,” Lalit Wadhwa, an Android app developer at Jungle Works told

According to the Check Point report, the Base64 strings were located inside an internal class, instead of being added into the Manifest file. This means that the malicious code only needed the device to read the strings, decode them and then load the reflection to infect.

Joker malware: What it does, which all apps are infected and how to fix it


Due to the payload being hidden in Base 64 strings, the only thing that the actor needed to do to hide the file was to set the C&C server to return “false” on the status code, if tests were being run.

Check Point recommends you to check all your apps thoroughly and see if they are from a non-trusted developer. If you feel that you have downloaded an infected file, you should immediately uninstall it. Then you should check your mobile and credit card bills for any irregularities. If there are any talk to the bank and unsubscribe to those charges. Lastly, it is recommended that users should install an anti-virus program on their smartphones to prevent infections.

First published on: 11-07-2020 at 08:13:44 am
Next Story

Hollywood Rewind | The Godfather: The ultimate mafia movie

Latest Comment
Post Comment
Read Comments