New variant of Joker malware found in Android apps on Play Store

New variant of Joker malware found in Android apps on Play Store

The original Joker malware was identified on Play Store back in September 2019.


Android is faced with a multitude of hostile malware families that try to find their way back in from time to time. One such malware strain happens to be the Joker which has also been previously caught tricking users into subscribing to premium services without their consent.


This time, it’s back to do the same albeit with a different technique in order to evade Google’s security filters. This is alarming for Android users since just yesterday it was reported that dangerous Cerberus banking trojan was also found on Google Play Store.


Reported by Checkpoint, the new variant makes use of a couple of components to do its job – a notification listener service which is a part of the legitimate applications, and a “dynamic dex file” that it retrieves from its C2 server in order to make users successfully subscribe.


According to the researchers, a new technique at play in this variant is that it,



“Now hides the malicious dex file inside the application as Base64 encoded strings, ready to be decoded and loaded.”


Another interesting aspect in this is that unlike before, the dex file is also retrieved with the help of the variant joker malware found android store