The Joker malware known also as Bread has caused significant havoc amongst Android users. Google claimed to have removed over 1,700 apps from the Play Store that were infected with the malware. This ongoing battle has been going on for more than 3 years. Since 2017 when Joker malware was first detected, new versions surfaced that managed to elude Google’s app validation systems.
What is the Joker Malware?
Joker malware was embedded in the APK file of different apps. It was deliberately injected into the code and had multiple code changes to bypass Google security checks. Sometimes, Google was able to stop the spread and detected certain versions of the malware but on occasion, certain code changes would make the Joker malware slip through the cracks and get onto the Play Store.
The way the Joker Malware works is very simple. It is a form of Trojan that downloads a secured configuration from a remote server during the installation of the infected app. Once installed, the malware gets access to notifications and gains control over SMS messages and OTP security feature to authorize and authenticate payments over the Google Play store. Once installed, with the infected app getting control over Notification Listener service, SMS, and OTP for payment authorizations, the malware could then be used to subtract funds from the victim without being noticed at all.
An infected user will not notice or get any notification while the malware was present on the device. The malware would signup for paid subscription services thus deducting money from the credit card attached to the user’s account. These payments would be difficult to detect. Most users would discover the unauthorized payments on their credit card statements.
Who Made the Joker Malware?
The destination of these payments is not yet known. Looking at the infected applications it is difficult to determine who made the Joker malware, where the money was going, and who are the individuals that uploaded the infected apps to the Google Play Store.
Some cybersecurity companies were able to inspect some of the code of the malware and found that it was filled with comments in Chinese. This can be an indicator as to where the Joker malware originated but it can also be a misleading trace left by the creators.
The investigation into how these subscriptions were done and were the money ended up was also fruitless. It’s been three years since the Joker malware surfaced and there are still new versions of it appearing on the Google Play store doing the same thing as the first version. Google is constantly removing apps from its Play Store but it cannot force users to delete infected apps from their phones. Efforts are being made to improve detection but so far, it still manages to exist on the official Google Play Store.
As the Joker malware subscribes to paid services that do not cost a lot, some may not even notice the small charges on their credit card statement.