{
	"id": "978f6b1a-338f-4959-9ba5-146e9a86e835",
	"created_at": "2026-04-06T00:09:48.578258Z",
	"updated_at": "2026-04-10T03:30:33.801837Z",
	"deleted_at": null,
	"sha1_hash": "810c91b7d8605f9125241e78071d7e64d523bbd9",
	"title": "Stay Alert, Joker still making its way on Google Play Store! - Home",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 590276,
	"plain_text": "Stay Alert, Joker still making its way on Google Play Store! - Home\r\nBy Digvijay Mane\r\nPublished: 2021-01-22 · Archived: 2026-04-05 20:39:01 UTC\r\nWe recently came across 2 malicious Joker family malware applications on Google Play Store  — the company\r\nwas quick to remove these malicious applications from their store based on our report. These two applications,\r\nnamely “Easy QR Scanner” and “Free Translator” have more than 10k installs each.\r\nFig.1 Application icons\r\nWhat is Joker Malware?\r\nJoker is spyware which steals the victim’s SMS messages, contact list and the device info. It silently interacts with\r\nadvertisement websites and subscribes the victim to premium services without their knowledge. The name “Joker”\r\nis taken from one of the C\u0026C domains of earlier found samples.\r\nFrom its inception, Joker family malware continued to find their way on Google Play Store by using different\r\ntricks. In January last year, Google informed about the removal of more than 1700 Joker malware applications\r\nalthough many researchers continued finding apps rigged with the spyware. This is because malware authors\r\ncontinue to do small changes in their code or payload retrieval techniques to evade the detections.\r\nHere is our analysis of Easy QR Scanner Application –\r\nAt launch, this application asks for storage, camera and contact access permission, followed by request to access\r\nnotifications. Next, it opens the camera for scanning —if we scan QR code from this application, it opens\r\nembedded URL — e.g. In Fig. 2 see scanned QR code and its result.\r\nhttps://blogs.quickheal.com/stay-alert-joker-still-making-its-way-on-google-play-store/\r\nPage 1 of 6\n\nFig. 2 Application Functionality\r\nThe application seems useful for now but, it does the malicious activity in the background without the user’s\r\nknowledge.\r\nFig.3 Packages of application and payloads\r\nFig. 3 shows packages from Easy QR Scanner application and it’s downloaded payloads. In this application, three\r\ndifferent payloads are downloaded one after another. Original applications have used Tencent packer to hide its\r\nmalicious payload downloading functionality. At runtime, it unpacks this application and downloads first stage\r\npayload.\r\nFirst stage payload, xiwa.doc, is downloaded from C\u0026C jordi.oss-us-east-1.aliyuncs.com\r\nFig.4 Three payloads downloaded in three consecutive requests.\r\nhttps://blogs.quickheal.com/stay-alert-joker-still-making-its-way-on-google-play-store/\r\nPage 2 of 6\n\nHere is the first entry from Network log for application “Easy QR Scanner”\r\n{\r\n“Entry”: 1,\r\n“Application”: “Easy QR Scanner”,\r\n“Application package name “: “com.easyqr.scannertool”,\r\n“Request url”: “http://jordi.oss-us-east-1.aliyuncs.com/closer/xiwa.doc”,\r\n“Request method”: “GET”,\r\n“Version”: “HTTP/1.1”,\r\n“Status code”: “200 OK”,\r\n“Remote address”: “47.253.30.162”,\r\n“Domain”: “jordi.oss-us-east-1.aliyuncs.com”,\r\n“Content type”: “application/msword”,\r\n“Port”: “443”,\r\n“SSL”: null\r\n}\r\nThis file – xiwa.doc contains code to download next stage payload kudo.doc.\r\nFig. 5 Code snippet of first stage payload\r\nThis second stage payload contains the code to check Sim Operator code and code to ask notification access. Sim\r\noperator code can be accessed using getSimOperator method, which returns [mobile country code + mobile\r\nnetwork code]. It also has code to download 3rd and final stage payload – closer.doc.\r\nhttps://blogs.quickheal.com/stay-alert-joker-still-making-its-way-on-google-play-store/\r\nPage 3 of 6\n\nFig. 6 Code snippet of 2nd stage payload\r\nFinal stage payload – closer.doc\r\nThis is the final malicious payload responsible for Joker’s behaviour. Below is a code snippet showing\r\nBroadcastReceiver’s onReceive method — it collects received message data.\r\nFig 7. Code snippet of received SMS collection\r\nString obfuscation is used to avoid pattern-based signature detections.\r\nFig.8 String obfuscation\r\nAs shown in Fig. 9, It checks for Sim Operator code first and then visits a site to subscribe for a premium service.\r\nThen it requests for OTP and submits the received OTP without user’s knowledge or consent.\r\nhttps://blogs.quickheal.com/stay-alert-joker-still-making-its-way-on-google-play-store/\r\nPage 4 of 6\n\nFig. 9 Subscribing for premium services.\r\nThese types of techniques (e.g. malicious code is inside the 3rd stage payload) used by malware authors to bypass\r\nthe security checks of Google.\r\nAnother application we found (Free Translator) has similar behaviour. These applications look benign but do\r\nmalicious activities in the background, so the user should avoid downloading these types of applications and try to\r\nuse applications from trusted developers only.\r\nTips to stay safe\r\n1.Download applications only from trusted sources like Google Play Store.\r\n2.Learn how to identify fake applications in Google Play Store.\r\n3.Do not click on alien links received through messages or any other social media platforms.\r\n4.Turn off installation from unknown source option.\r\n5.Read the pop-up messages you get from the Android system before accepting/allowing any new permissions.\r\n6.Malicious developers spoof original application names and developer names. So, make sure you are\r\ndownloading genuine applications only. Often application descriptions contain typos and grammatical mistakes.\r\nCheck the developer’s website if a link is available on the application’s webpage. Avoid using it if anything looks\r\nstrange or odd.\r\n7.Reviews and ratings can be fake but still reading user reviews of the application and the experience of existing\r\nusers can be helpful. Pay attention to reviews with low ratings.\r\n8.Check download count of the application — popular applications have very high download counts. But do note\r\nthat some fake applications have been downloaded thousands or even millions of times before they were\r\ndiscovered.\r\n9.Avoid downloading applications from third-party application stores or links provided in SMSs, emails, or\r\nWhatsApp messages. Also, avoid installing applications that are downloaded after clicking on an advertisement.\r\n10.Use a trusted anti-virus like Quick Heal Mobile Security to stay safe from Android malware.\r\nIOC:\r\nhttps://blogs.quickheal.com/stay-alert-joker-still-making-its-way-on-google-play-store/\r\nPage 5 of 6\n\nMD5: 3bbf45eab9796a2781e640393fae7423\r\nMD5: f733cfe88fc4089523a634675f808100\r\nURLs of payload:\r\nhxxp://jordi[.]oss-us-east-1[.]aliyuncs.com/closer/xiwa.doc\r\nhxxp://jordi[.]oss-us-east-1[.]aliyuncs.com/closer/kubo.doc\r\nhxxp://jordi[.]oss-us-east-1[.]aliyuncs.com/closer/closer.doc\r\nhxxp://feeli[.]oss-us-east-1[.]aliyuncs.com/feel/kouj.asx\r\nhxxp://feeli[.]oss-us-east-1[.]aliyuncs.com/feel/gechagn.asx\r\nhxxp://feeli[.]oss-us-east-1[.]aliyuncs.com/feel/feel.asx\r\nFinal C\u0026C\r\n47[.]241[.]106[.]26\r\nSource: https://blogs.quickheal.com/stay-alert-joker-still-making-its-way-on-google-play-store/\r\nhttps://blogs.quickheal.com/stay-alert-joker-still-making-its-way-on-google-play-store/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blogs.quickheal.com/stay-alert-joker-still-making-its-way-on-google-play-store/"
	],
	"report_names": [
		"stay-alert-joker-still-making-its-way-on-google-play-store"
	],
	"threat_actors": [
		{
			"id": "77b28afd-8187-4917-a453-1d5a279cb5e4",
			"created_at": "2022-10-25T15:50:23.768278Z",
			"updated_at": "2026-04-10T02:00:05.266635Z",
			"deleted_at": null,
			"main_name": "Inception",
			"aliases": [
				"Inception Framework",
				"Cloud Atlas"
			],
			"source_name": "MITRE:Inception",
			"tools": [
				"PowerShower",
				"VBShower",
				"LaZagne"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434188,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/810c91b7d8605f9125241e78071d7e64d523bbd9.pdf",
		"text": "https://archive.orkl.eu/810c91b7d8605f9125241e78071d7e64d523bbd9.txt",
		"img": "https://archive.orkl.eu/810c91b7d8605f9125241e78071d7e64d523bbd9.jpg"
	}
}