{
	"id": "cfe7eeae-0ecb-4653-941a-5b5d9e00a370",
	"created_at": "2026-04-12T02:22:27.083438Z",
	"updated_at": "2026-04-12T02:22:41.439048Z",
	"deleted_at": null,
	"sha1_hash": "45ad7ebc83b15134af3ebca0cd560a987e7a9ad2",
	"title": "New Joker variant hits Google Play with an old trick",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 66003,
	"plain_text": "New Joker variant hits Google Play with an old trick\r\nBy etal\r\nPublished: 2020-07-09 · Archived: 2026-04-12 02:11:04 UTC\r\nResearch By: Aviran Hazum, Bogdan Melnykov, Israel Wernik\r\nOverview:\r\nCheck Point’s researchers recently discovered a new variant of the Joker Dropper and Premium Dialer spyware in\r\nGoogle Play. Hiding in seemingly legitimate applications, we found that this updated version of Joker was able to\r\ndownload additional malware to the device, which subscribes the user to premium services without their\r\nknowledge or consent.\r\nhttps://research.checkpoint.com/2020/new-joker-variant-hits-google-play-with-an-old-trick/\r\nPage 1 of 8\n\nFigure 1 – Joker application on Google Play\r\nGeneral:\r\nJoker, one of the most prominent types of malware for Android, keeps finding its way into Google’s official\r\napplication market as a result of small changes to its code, which enables it to get past the Play store’s security and\r\nhttps://research.checkpoint.com/2020/new-joker-variant-hits-google-play-with-an-old-trick/\r\nPage 2 of 8\n\nvetting barriers. This time, however, the malicious actor behind Joker adopted an old technique from the\r\nconventional PC threat landscape and used it in the mobile app world to avoid detection by Google.\r\nTo realize the ability of subscribing app users to premium services without their knowledge or consent, the Joker\r\nutilized two main components – the Notification Listener service that is part of the original application, and a\r\ndynamic dex file loaded from the C\u0026C server to perform the registration of the user to the services.\r\nIn an attempt to minimize Joker’s fingerprint, the actor behind it hid the dynamically loaded dex file from sight\r\nwhile still ensuring it is able to load – a technique which is well-known to developers of malware for Windows\r\nPCs. This new variant now hides the malicious dex file inside the application as Base64 encoded strings, ready to\r\nbe decoded and loaded.\r\nTechnical Analysis:\r\nOriginally, the code that was responsible for communicating with the C\u0026C and downloading the dynamic dex file\r\nwas located inside the main classes.dex file, but now the functionality of the original classes.dex file includes\r\nloading the new payload.\r\nJoker triggers the malicious flow from the Activity by creating a new object that communicates with the C\u0026C to\r\ncheck if the campaign was still active.  After confirmation, it can then prepare the payload module to be loaded.\r\nFigure 2 – Creation of the malicious object\r\nhttps://research.checkpoint.com/2020/new-joker-variant-hits-google-play-with-an-old-trick/\r\nPage 3 of 8\n\nFigure 3 – malicious object communicates with C\u0026C\r\nFigure 4 – response from C\u0026C server\r\nThe first method used to load the dex file was to read it from the manifest file. When inspecting the manifest file,\r\nwe could see that there was another metadata field that contained a Base64 encoded dex file. So all that was\r\nneeded was to read the data from the manifest file, decode the payload, and load the new dex file.\r\nhttps://research.checkpoint.com/2020/new-joker-variant-hits-google-play-with-an-old-trick/\r\nPage 4 of 8\n\nFigure 5 – Manifest file containing the Base64 encoded dex\r\nFigure 6 – reading data from manifest\r\nDuring our research, we have also detected an “in-between” variant, that utilized the technique of hiding the .dex\r\nfile as Base64 strings – but instead of adding the strings to the Manifest file, the strings were located inside an\r\ninternal class of the main application. In this case, all that was needed for the malicious code to run was to read the\r\nstrings, decode them from Base64, and load it with reflection.\r\nhttps://research.checkpoint.com/2020/new-joker-variant-hits-google-play-with-an-old-trick/\r\nPage 5 of 8\n\nFigure 7 – Strings inside main application\r\nFigure 8 – Reading class strings and decode\r\nFigure 9 – Loading the dex file with Reflection\r\nFigure 10 – Decrypting strings\r\nhttps://research.checkpoint.com/2020/new-joker-variant-hits-google-play-with-an-old-trick/\r\nPage 6 of 8\n\nThe new payload contained code that the original Joker had in its main dex file – the registration of the\r\nNotificationListener service, subscribing the user to premium services, and more. But now, after this change, all\r\nthat the actor needed in order to hide the entire functionality was to set the C\u0026C server to return “false” on the\r\nstatus code, and none of the malicious activity would occur.\r\nConclusion:\r\nIf you suspect you may have one of these infected apps on your device, here’s what you should do:\r\nUninstall the infected application from the device\r\nCheck your mobile and credit-card bills to see if you have been signed up for any subscriptions and\r\nunsubscribe if possible\r\nInstall a security solution to prevent future infections\r\nProtect your enterprise and users from sophisticated mobile cyberattacks like Haken or any other ones\r\nwith SandBlast Mobile.  To protect personal devices against attacks, check out ZoneAlarm Mobile Security.\r\nIOC’s:\r\nsha256 Package Name\r\ndb43287d1a5ed249c4376ff6eb4a5ae65c63ceade7100229555aebf4a13cebf7 com.imagecompress.android\r\nd54dd3ccfc4f0ed5fa6f3449f8ddc37a5eff2a176590e627f9be92933da32926 com.contact.withme.texts\r\n5ada05f5c6bbabb5474338084565893afa624e0115f494e1c91f48111cbe99f3 com.hmvoice.friendsms\r\n2a12084a4195239e67e783888003a6433631359498a6b08941d695c65c05ecc4 com.relax.relaxation.androidsms\r\n96f269fa0d70fdb338f0f6cabf9748f6182b44eb1342c7dca2d4de85472bf789 com.cheery.message.sendsms\r\n0d9a5dc012078ef41ae9112554cefbc4d88133f1e40a4c4d52decf41b54fc830 com.cheery.message.sendsms\r\n2dba603773fee05232a9d21cbf6690c97172496f3bde2b456d687d920b160404 com.peason.lovinglovemessage\r\n46a5fb5d44e126bc9758a57e9c80e013cac31b3b57d98eae66e898a264251f47 com.file.recovefiles\r\nf6c37577afa37d085fb68fe365e1076363821d241fe48be1a27ae5edd2a35c4d com.LPlocker.lockapps\r\n044514ed2aeb7c0f90e7a9daf60c1562dc21114f29276136036d878ce8f652ca com.remindme.alram\r\nf90acfa650db3e859a2862033ea1536e2d7a9ff5020b18b19f2b5dfd8dd323b3 com.training.memorygame\r\nMitre ATT\u0026CK\r\nhttps://research.checkpoint.com/2020/new-joker-variant-hits-google-play-with-an-old-trick/\r\nPage 7 of 8\n\nSource: https://research.checkpoint.com/2020/new-joker-variant-hits-google-play-with-an-old-trick/\r\nhttps://research.checkpoint.com/2020/new-joker-variant-hits-google-play-with-an-old-trick/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://research.checkpoint.com/2020/new-joker-variant-hits-google-play-with-an-old-trick/"
	],
	"report_names": [
		"new-joker-variant-hits-google-play-with-an-old-trick"
	],
	"threat_actors": [],
	"ts_created_at": 1775960547,
	"ts_updated_at": 1775960561,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/45ad7ebc83b15134af3ebca0cd560a987e7a9ad2.pdf",
		"text": "https://archive.orkl.eu/45ad7ebc83b15134af3ebca0cd560a987e7a9ad2.txt",
		"img": "https://archive.orkl.eu/45ad7ebc83b15134af3ebca0cd560a987e7a9ad2.jpg"
	}
}