An old acquaintance returns. One that keeps coming back every so often. It is the Joker malware, which continues to infect applications that sneak into the Google Play Store despite security measures and barriers.

Joker Returns

And it is that, after infecting more than 500 thousand Huawei mobile phones in 2020, Joker continues to return periodically. And despite the security of the Android Store, The Joker has once again managed to sneak into up to 13 applications, some of them with more than 100,000 downloads. Like the previous variants, you can also subscribe users to websites that offer payment services, which means that users risk a big surprise at the end of the month when their bank account or credit card statement get to the mailbox.

In fact, in the past some victims have been found paying more than 240 pounds (279 euros) a year for these fraudulent subscriptions. A Kaspersky Android malware researcher Tatyana Shishkova has warned of a resurgence of malware in a series of posts on Twitter, listing more than a dozen applications that, at first glance, seem harmless, but contain dangerous malware.

13 tainted apps

Google has already removed these apps from the Play Store, but if you have any of the applications listed below installed on any of your Android devices, you should remove it immediately:

1. Classic Emoji Keyboard
2. Battery Charging Animations Battery Wallpaper
3. Battery Charging Animations Bubble Effects
4. EmojiOne Keyboard
5. Easy PDF Scanner
6. Flashlight Flash Alert On Call
7. Halloween Coloring
8. Now QRcode Scan
9. Dazzling Keyboard
10. Smart TV remote
11. Volume Booster Louder Sound Equalizer
12. Volume Booster Hearing Aid
13. Super Hero-Effect

As you can see, some of these apps have similar names. Shiskova warned about Battery Charging Animations Battery Wallpaper on Nov 4, but although it was removed from the Play Store only a week later, the Battery Charging Animations Bubble Effects application appeared, similarly named, also infected by the Joker.

The developers and application icons are not the same, but the fact that the format of the developer names used is so similar: Erica E. Guel and Charles M. Roseman suggests that the same people are behind . In fact, most of this list of applications uses the same naming format.

Malware Joker

Baptized as one of the most essential comic book villains and an authentic icon of popular culture -and also fashionable for the homonymous film that is sweeping awards-, The Joker es un malware that has managed to sneak into many applications within the Google Play Store of Android. The virus acts in 2 phases, and its danger is not only that it steals your data, but it also steals money in real time. This is how it works:

Phase 1

• Idevice infection using malware to integrate into the system
• Identification of the country in which the terminal is located
• Communication Command and Control C&C with hackers to a minimum, just enough to receive encrypted settings

Phase 2:

• DEX file decryption -an executable file saved in a format that contains compiled code written for Android- and loads it.
• Theft of SMS messages, data who sends us the message
• Robbery of the list of contacts and data Of the device
• Interaction with advertising websites to withdraw money through the infected mobile

A malware that steals money from you

The worst thing about this second phase is that the malware Joker starts interacting with ad websites, using authorization codes for premium subscriptions of those pages and simulating clicks in banners and others, that is: signing up for advertising services that we have not requested. Through this technique, Joker can be made with up to 6.71 euros a week in countries like Denmark thanks to the automation of the process of interacting with the premium offer of a specific website.

In order to maximize your attacks but minimize your risks of being caught, The Joker only performs in a certain number of countries -Spain included. In fact, many of the apps infected with this malware have an MCC, a list of country mobile codes, to know in which one it is operating. If you use a SIM from one of the countries on the list, phase 2 of the virus is activated, which involves SMS, data and monetary action.

Most of the compromised applications operate in European and Asian countries, and have an additional check to avoid doing so in the United States or Canada, although some apps do infect North American SIM cards.