Joker Malware: The Thorn in Google’s Side

Joker malware was discovered in 2016, so what makes this strain of malware so persistent and good at what it does? There are a few considerations for Android users to know.

The Joker malware program (aka Bread) has been a thorn in the side of Google since 2019, prompting Google to call it the most persistent threat they’ve dealt with since 2017. Google continues to update it’s protections and remove infected apps from its store, but Joker continues to change the code, execution methods or payload-retrieving techniques, allowing it to keep popping up in the Android Play Store. But what is this malware and how does it keep creeping past Google’s security protections? Let’s dive into the specifics of Joker.

First, we have to mention that it will be hard to tell if you’ve downloaded an app with malware. There’s no flashing lights or red flags or anything special to set these apps apart from any of the others. It’s likely you won’t even know your information has been exposed until it’s too late. Authors of the malware clone another apps functionality before they upload it to the Play Store, so the app you download will look and act like any other app and function exactly how it says it will.

When you go to download the app, it will request access to permissions that a normal app wouldn’t need to function. These permissions are dangerous and this is the back door we discussed in previous articles. Once you agree, likely without looking at the permissions because society is too busy to read the fine print, the malware hangs out. It doesn’t run the first time you open the app, but waits hours or even days to do something malicious. This delay helps the app to bypass Google’s security scans, on top of the changing code, which makes it very difficult to defend against.

Infected apps get through Google’s security protections and into the Play Store through droppers, which sees the victim’s device become infected in a multi-stage process. First, it’s downloaded. Then, there’s the delay. Next, the app downloads (or drops) additional components or apps that contain the Joker malware. Once the malware is on the device, it steals SMS messages, contact lists, other device information and signs the victim up for premium WAP services without the user realizing it.

Last week’s removal of 17 apps was not Google’s first encounter with Joker malware. In fact, it was the third time the program has popped up in a matter of months. The first appearance was back in July, an attack that started in March and infected millions of devices. Google also removed six apps at the beginning of September after the malware was discovered.

But the Play Store isn’t the only place the malware is found, it’s also been found on third-party Android app stores. Anquanke, which uncovered the July attack, said that it has discovered more than 13,000 Joker samples since the malware first showed up in 2016. In all, Google has removed 1,700 apps from the Play Store since 2017.

Malware is more than “just” a virus. It doesn’t just shut down your device or make it unusable, although it has that capability. But it also steals information, data, anything it can get that could be of value. It’s why we talk about doing your due diligence when downloading an app, making sure you are vetting the apps you download, checking reviews and looking it up on Google to make sure there are no known issues around it. This is also why we say to practice good cyber-hygiene, don’t click on links you don’t know, make sure you’re using antivirus and antimalware software, don’t recycle passwords, etc. The authorities are catching up with cyber criminals, but it’s going to take time. You have to be vigilant about your devices and ensure your information stays secure.

About the Author

Pieter VanIperen, Managing Partner of PWV Consultants, leads a boutique group of industry leaders and influencers from the digital tech, security and design industries that acts as trusted technical partners for many Fortune 500 companies, high-visibility startups, universities, defense agencies, and NGOs. He is a 20-year software engineering veteran, who founded or co-founder several companies. He acts as a trusted advisor and mentor to numerous early stage startups, and has held the titles of software and software security executive, consultant and professor. His expert consulting and advisory work spans several industries in finance, media, medical tech, and defense contracting. Has also authored the highly influential precursor HAZL (jADE) programming language.

Contact us

Contact Us About Anything

Need Project Savers, Tech Debt Wranglers, Bleeding Edge Pushers?

Please drop us a note let us know how we can help. If you need help in a crunch make sure to mark your note as Urgent. If we can't help you solve your tech problem, we will help you find someone who can.

1350 Avenue of the Americas, New York City, NY