{ "id": "758022d4-0417-45e6-9d3c-df18ba76119b", "created_at": "2026-04-06T00:09:04.559079Z", "updated_at": "2026-04-10T03:30:33.664334Z", "deleted_at": null, "sha1_hash": "b60c5592624ba322b679cc7933f88c46baa00428", "title": "Joker Unleashes Itself Again on Google Play Store", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1039899, "plain_text": "Joker Unleashes Itself Again on Google Play Store\r\nPublished: 2021-09-17 · Archived: 2026-04-05 20:37:54 UTC\r\nJoker malware on Google Play Store continues to scare Android users. Its variants continue to find new tricks and tactics\r\nto stay undetected by doing small changes in its code or changing the payload download techniques.\r\nFigure 1: Malicious Joker Apps from Google Play Store\r\nThe following Joker samples were discovered recently on Google Play store which have now been removed.\r\nAll Document Scanner\r\nColor Call Flash- Call Screen\r\nClean Wallpaper\r\nFree BP Recorder\r\nFree Chat SMS\r\nFree Document Scanner\r\nFree Super Scanner\r\nFree Writing Message\r\nFree Secret Message\r\nPDF Scanner Master\r\nTime Zone Camera\r\nText Emoji Messages\r\nTeddy love wallpapers\r\nUnique Heart Rate Monitor\r\nhttps://labs.k7computing.com/index.php/joker-unleashes-itself-again-on-google-play-store/\r\nPage 1 of 5\n\nTechnical Analysis\r\nIn this blog, we will be analyzing the new  Joker sample com.camera.phototimezonecamera. It is clear from Figure 2\r\nthat this new piece of Joker has adapted to multistage dex file loading; as the class name of a service declared in the\r\nAndroidManifest.xml file  is not defined in the classes.dex in the APK’s root folder. This technique has not been seen in\r\nany of the previous Joker malware samples.\r\nFigure 2: Undefined Class Name in AndroidManifest.xml\r\nThis means that the class not mentioned in the classes.dex would be loaded in memory at run-time using any one of the\r\ndynamic loading techniques.\r\nOnce launched, the malicious Android Package (APK) retrieves first level malicious payload, “a”, a .jar file (containing\r\nthe payload dex) from grouplearn[.shop as shown in Figure 3 , which enables the parent malware with additional\r\nmalevolent capabilities.\r\nFigure 3: Malicious First Level Payload from C2\r\nThis first level payload has a base64 encoded URL to download  the next payload as shown in Figure 4.\r\nFigure 4: Reference to the second payload in base64 encoded format\r\nhttps://labs.k7computing.com/index.php/joker-unleashes-itself-again-on-google-play-store/\r\nPage 2 of 5\n\nThe  second payload,”w.iov”, again a .jar file, downloaded from implemente[.life as shown in the Figure 4, has the class\r\nreference of “okhttp3.service” class from the AndroidManifest.xml of com.camera.phototimezonecamera as shown in\r\nFigure 5.\r\nFigure 5: Defined Class Name from AndoridManifest.xml\r\n     This Joker sample attempts to intercept incoming SMS messages and subscribe to the paid premium services as\r\nshown in Figure 6.\r\nFigure 6:  Intercept SMS Messages\r\nMitigations\r\nAlways use the Official App Store to download apps\r\nCarefully read the user reviews before installing the apps\r\nEnsure you protect your device and data by using a reputable security product like K7 Mobile Security and\r\nkeeping it up-to-date, to scan all the downloaded apps, irrespective of the source\r\n At K7 Labs, we are constantly protecting our users with near real-time monitoring of Joker malware.\r\nIndicators of Compromise (IoCs)\r\nInfected Package Name on Google Play Store Hash\r\nDetection\r\nName\r\ncom.callphone.spashthemes EFB5D28977819F9C0CA0AC797D798136\r\nTrojan (\r\n0001140e1\r\n)\r\ncom.camera.phototimezonecamera DEA4B4BBB25F7474D450B921871FF693 Trojan (\r\n0001140e1\r\nhttps://labs.k7computing.com/index.php/joker-unleashes-itself-again-on-google-play-store/\r\nPage 3 of 5\n\n)\r\ncom.camerauniquemonitor.heartkeep BCE3E7080721B2615D355C4EE91C07CC\r\nTrojan (\r\n0001140e1\r\n)\r\ncom.country.landscape.wallpaper 0E5559546C2C01AF8326600C8DD7D7C8\r\nTrojan (\r\n00580dec1\r\n)\r\ncom.humble.wallpapers E6CC00167761395BEF0FD2800CD66306\r\nTrojan (\r\n0058134e1\r\n)\r\ncom.maccode.qrs.app 3E9858CA09CF039C54276529C9A790AE\r\nTrojan (\r\n0058134d1\r\n)\r\ncom.msc.docscanner DFDFC5A14A1D8C34A6EBF8D882334B2E\r\nTrojan (\r\n0001140e1\r\n)\r\ncom.mysdkdialy.bpanaysis E1756D7D7905B362B3D6431F61527DE9\r\nTrojan (\r\n0001140e1\r\n)\r\ncom.PhotoMessage E1D05485913D4E7BF444A0492015D0DA\r\nTrojan (\r\n0058134b1\r\n)\r\ncom.smartful.companynowmessages.digitalesms FB584881E0CE6A643B12F5BA660EFC77\r\nTrojan (\r\n0001140e1\r\n)\r\ncom.superjiu.camerascanner AE4045B3231217ED61297F1DE6966BAE\r\nTrojan (\r\n0001140e1\r\n)\r\nqrmatadata.scannerfreeused A5E6D4F943E6B039F2E5099243585778\r\nTrojan (\r\n005812df1\r\n)\r\nsticker.mackercreator.wonderful D26ACC188894892F354F0A9DFBC0C163\r\nTrojan (\r\n0001140e1\r\n)\r\nPayload URLs\r\nfenglintechnology-app01[.oss-me-east-1.aliyuncs.com\r\nhttps://labs.k7computing.com/index.php/joker-unleashes-itself-again-on-google-play-store/\r\nPage 4 of 5\n\nimplemente[.life\r\ngrouplearn[.shop\r\npuerassist[.club\r\nSource: https://labs.k7computing.com/index.php/joker-unleashes-itself-again-on-google-play-store/\r\nhttps://labs.k7computing.com/index.php/joker-unleashes-itself-again-on-google-play-store/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://labs.k7computing.com/index.php/joker-unleashes-itself-again-on-google-play-store/" ], "report_names": [ "joker-unleashes-itself-again-on-google-play-store" ], "threat_actors": [ { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434144, "ts_updated_at": 1775791833, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b60c5592624ba322b679cc7933f88c46baa00428.pdf", "text": "https://archive.orkl.eu/b60c5592624ba322b679cc7933f88c46baa00428.txt", "img": "https://archive.orkl.eu/b60c5592624ba322b679cc7933f88c46baa00428.jpg" } }