Joker Malware: A virus that steals from your digital wallet
July 21, 2020 | By - Anmol Kapoor

Joker Malware: A virus that steals from your digital wallet

Named after the legendary DC Universe character Joker, the Joker virus is a Malware that affects Android apps. The trojan was first found out on Google Play by a researcher Aleksejs Kuprins back in 2019, as its first effects believed to have started in June 2019. Kuprins stated that by September it was detected in 24 apps with more than 472,000 downloads by then. Since that time onwards, it has come into play repeatedly, affecting Android users time and time again, causing major issues. It can be removed from the phone as well, by following certain steps. Let’s understand the joker virus’ meaning, and how does it affect the apps and their users:-

What damage can it cause?

The Joker Malware brings in a second stage component in the device though the app installed. The new component then initiates the interaction with advertisements, while stealing the device information and data such as contacts, messages, etc. The silent interaction with ads is not limited to displaying them, but also goes further to simulate clicks on them. The Joker virus also applies authorization codes for premium service subscriptions, and cause charges to be automatically debited from your accounts. The virus is an intelligent code, which can automate the interaction process for the webpages, while proceeding to get the confirmation code or OTP from the SMS, and moving on to finalize the subscription itself.

How was it designed?

The Joker malware virus only attacks the countries it is designed to target. Many apps have Mobile Country Codes (MCC) list, and users using a sim card of the target countries can get the second stage coding. It has majorly affected European countries and Asia, but has a list of 37 countries around the world. The Joker malware, while loading the second stage .DEX file, also gets a dynamic code for running JavaScript actions, for protecting it against analysis. Hence, the first coding is inbuilt the app, for joker’s initialization, and the second one is downloaded as a .DEX file.

How does it load and get ready to work?

There is a series of steps that follows, only after you download a certain app carrying the Joker virus or other malware, and complete the prerequisites of the virus.  The code package generally follows a basic set:-
  • Code to check target country via MCC
  • Communication coding for C&C for reporting the infection and receiving encrypted configuration
  • DEX package decryption and loading code
  • Notification listener to read SMS messages, and sending them to the second stage package to pick it up
The final and perhaps the most important tactic of this trojan, is the phone contact list theft. In the real world, a biological virus can spread through many ways, for example, the human touch. It can multiply and spread depending upon how many people are in close proximity. Similarly, this trojan’s core component collects and encrypts the phone numbers, and sends them to C&C for further infection.

What is the Playstore doing about it?

Google has always been on its toes when it comes to malware, and since the first instant of the Joker malware virus was detected, Google’s teams have been researching more and more, on understanding it, and trying to find means to eliminate it. The best possible solution employed till now is to delete the fraudulent and malware spreading apps from playstore, and Google has, every now and then deleted a certain amount of apps to keep the users safe. It also helps the users on how to remove such apps that may contain the Joker Malware. Other digital antivirus companies have also given important knowledge on how to remove viruses and other malware such as Joker.

Can you fix it?

Users can follow a few steps to stay safe when such viruses are doing rounds
  • Always download apps from trusted sources and developers
  • Use a proven and trusted antivirus software for your phone
  • Always keep a track of your card bills and e-wallets, and keep an eye on suspicious transactions
If infected, always alert the people who are in your contact list
  • Always uninstall any spurious app if there is suspicion, or any update from the playstore
To sum it up, the Joker virus can get into your phone through an application that you may have downloaded, and steal your money by getting you automatically subscribed to certain paid services. The dangerous part is, that all this happens in the background, and the users might not even know until it is too late. You can stay safe, by looking online and checking for possible updates by Google for deleting the apps infected by the viruses. You can download an antivirus software for your phone, and also uninstall all apps from non-trusted sources. Users are also suggested that if infected by Joker malware, they can let all those in their contact list know, so that others can be alert.  
appstore playstore