Check Point Software Technologies: Check Point is a multinational provider of software and combined hardware and software products for IT security, including network security, endpoint security, cloud security, mobile security, data security and security management.

JOKER: Large-Scale Billing Fraud Family

Joker is one of the most prevalent Android malware. First discovered in 2017, it is infamous for carrying out billing fraud, stealing SMS, contact lists and device information. The malware which started primarily as SMS fraud, moved to billing fraud after Google restricted use of SMS permission. Google in a blog post, claims that the Joker malware family has used every cloaking and obfuscation technique to go undetected.

For the toll billing fraud, the virus family made the user visit a URL to complete billing and enter their phone number. It used injected clicks, custom HTML parsers and SMS receivers to automate the billing process without the user noticing. The virus family has also tried using crypto libraries, custom-implemented encryption algorithms, some unclear methods which used JavaScript in WebViews and several commercially available softwares to go undetected. The main problem with this malware was, the affected apps had fake contact information and the billing process would start without the user confirming it.

Now you would be wondering why would Google allow such apps to run on PlayStore? Well, according to Google’s official statement, the malware-infected apps were uploaded as clean apps and the malicious code was added to it via an update.

Last year, Google removed 24 apps infected with the Joker malware from its PlayStore and before being removed, the apps had amassed over 500,000 downloads. Also, Google claims that, till date, it has detected and removed 1,700 unique apps from the malware family on its Play Store even before being downloaded by a single user.

Joker Malware

Current Scenario

The latest report from Check Point’s researchers has discovered a new variant of the Joker Dropper and Premium Dialer spyware in the Google Play Store. This spyware was found lying inside seemingly harmless applications. This new malware downloads additional malware to the device and subscribes the victim to a number of premium services, of course, without their consent.

Google has removed 11 such apps that were infected by this new malware:


  • com.relax.relaxation.androidsms

  • com.cheery.message.sendsms

  • com.peason.lovinglovemessage


  • com.hmvoice.friendsms

  • com.file.recovefiles

  • com.LPlocker.lockapps

  • com.remindme.alram


Joker, one of the most prominent types of malware for Android, keeps finding its way into Google’s official application market as a result of small changes to its code, which enables it to get past the Play store’s security and vetting barriers,” the Check Point team said in its report. “This time, however, the malicious actor behind Joker adopted an old technique from the conventional PC threat landscape and used it in the mobile app world to avoid detection by Google.

The new Joker malware uses two components - Notification Listener service that is part of the original application, and a Dynamic Dex file loaded from the C&C server (Command & Control server) to perform the registration of the user to the services.

The report further said, “In an attempt to minimize Joker’s fingerprint, the actor behind it hid the dynamically loaded dex file from sight while still ensuring it is able to load – a technique which is well-known to developers of malware for Windows PCs. This new variant now hides the malicious dex file inside the application as Base64 encoded strings, ready to be decoded and loaded.

If you have any of the 11 mentioned apps installed on your smartphones, uninstall them immediately. Also, check your mobile and credit-card bills to ensure that you’ve not been subscribed to any unknown services without your consent. You should also consider insalling a security solution for your device. Always download apps from names you trust. And stay away from developers no one has heard of to be extra safe.