joker trojan

The Joker Trojan has recently targeted Android devices to steal SMS messages, contact lists, and device information. The cybersecurity researchers at CSIS has affirmed that the Joker is one of the new kind of malware that is mainly targeting and putting Android devices in danger.

This spyware is intended to steal SMS messages, contact lists, and device information. Not only this, but it also signs up silently in the victim account for premium wireless application protocol (WAP) services.

Possible plots

All the possible plots are divided into 3 range, that are Direct download, One-stage download, and Two-stage download.

Direct download

In this case, the final payload is being delivered via a direct URL that is received from the command and control (C&C) server. In this scenario, the infected Google Play store app has the C&C address stored in the code itself with chain obfuscation. After installing it, the infected app communicates with the C&C server, and then it reacts with the URL of a final payload. 

One-stage download

In this scenario, the experts have observed that for recovering the final payload, the infected Google Play app utilizes a stager payload. 

jokar android trojan

That’s why the infected Google Play store app has the stager payload URL, that is encoded in the code itself and encrypted utilizing the Advanced Encryption Standard (AES). However, the main job of this stager payload is to retrieve the final payload URL from the code and then download it.

Two-stage download

In this case, the infected Google Play store apps have two-stage payload downloads to recover the final payload. That’s why the Google Play infected app downloads the stage one payload, which downloads the stage two payload, that eventually loads the end Joker payload. 

jokar android trojan

Once the execution of stage one payload is done, it downloads the stage two payload, and that’s why the stage two payload shows the same performance as stage one payload.

Infected apps 

The apps that are infected by this trojan are mentioned below:-

  • All Good PDF Scanner
  • Mint Leaf Message-Your Private Message
  • Unique Keyboard – Fancy Fonts & Free Emoticons
  • Tangram App Lock
  • Direct Messenger
  • Private SMS
  • One Sentence Translator – Multifunctional Translator
  • Style Photo Collage
  • Meticulous Scanner
  • Desire to Translate
  • Talent Photo Editor – Blur focus
  • Care Message
  • Part Message
  • Paper Doc Scanner
  • Blue Scanner
  • Hummingbird PDF Converter – Photo to PDF
  • All Good PDF Scanner

All these modifications were employed by Joker to approach the end payload, and here the experts affirmed that the same end payload gets downloaded in all the cases. At the same time, the final payload employs DES encryption to execute C&C activities.


The security experts have recommended to the following prevention measures for all Android users to keep themselves secure:-

  • Users must pay close attention to the subscription list of all the apps that are installed by you on your Android device. 
  • Users must keep watch for the risky permissions that are linked to SMS, call logs, contacts, and more. 
  • Read the comment or reviews on the app page to identify the fraud apps and implement an extra layer of security.

According to the Zscaler reports, currently, the Joker Trojan is only targeting the EU and Asian countries. And till now, 24 apps with over 472,000 installs on the Google Play Store have been identified with this malware.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Also Read:

Cerberus – Android Banking Malware Bypass 2FA To Steal 200+ Mobile Apps Credentials

Russian National Arrested for Hiring Tesla Employee to Install Malware On to The Company’s Network

Iranian Charming Kitten APT Hackers Deploying Malware via WhatsApp Messages

Hidden Cobra APT Hackers Attack Japanese Organisations Via Obfuscation Malware & Remote SMB Tool

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.