{
	"id": "c9d53f9e-6ce4-4b17-aeaf-54c62a91926e",
	"created_at": "2026-04-06T00:17:58.611849Z",
	"updated_at": "2026-04-10T03:30:33.099692Z",
	"deleted_at": null,
	"sha1_hash": "c7a07dbb3adb56ef435da58bde1c865488875f52",
	"title": "Joker Is Still No Laughing Matter | Zimperium Mobile Security Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1323991,
	"plain_text": "Joker Is Still No Laughing Matter | Zimperium Mobile Security\r\nBlog\r\nPublished: 2021-07-13 · Archived: 2026-04-05 18:46:10 UTC\r\nThe Wayback Machine - https://web.archive.org/web/20210714010827/https://blog.zimperium.com/joker-is-still-no-laughing-matter/\r\nRichard Melick\r\nAndroid\r\nJul 13 2021\r\nAs one of the key members of Google’s App Defense Alliance, Zimperium helps ensure the Android ecosystem is\r\nsafer by processing all apps before they reach Google Play. Despite this direct involvement, malicious applications\r\ncan find their way to Android devices through various app stores, sideloaded applications, and compromises\r\nmalicious websites that trick users into downloading and installing apps.\r\nSince 2017, over 1,800 Android applications infected with Joker have been removed from the Google Play store,\r\nhighlighting a long history of this malware and its evolution throughout the years. Despite Google’s advanced\r\ntechnologies and its partnerships with malware security companies like Zimperium, the malicious actors have\r\nroutinely found new and unique ways to get this malware into both official and unofficial app stores. While they\r\nare never long for life in these repositories, the persistence highlights how mobile malware, just like traditional\r\nendpoint malware, does not disappear but continues to be modified and advanced in a constant cat and mouse\r\ngame.\r\nhttps://web.archive.org/web/20210714010827/https://blog.zimperium.com/joker-is-still-no-laughing-matter/\r\nPage 1 of 4\n\nRecently, the Zimperium zLabs mobile threat research team has noticed a large uptick in Joker variants on\r\nAndroid marketplaces, with over 1000 new samples since our last coverage in September of 2020. These variants\r\nwere found using the same malware machine learning engine powering zIPS on-device detection and Google’s\r\nApp Alliance, proving that on-device detection capabilities are a must to ensure full protection of an enterprises’\r\nmobile endpoints.\r\nLet’s first recap why Joker is so effective and popular for Android malware.\r\nWhat Is Joker?\r\nJoker trojans are malicious Android applications that have been known since 2017 for notoriously performing bill\r\nfraud and subscribing users to premium services. The outcome of a successful mobile infection is financial gain\r\nfor the cybercriminal, oftentimes under the nose of the victim until long after the money is gone, with little to no\r\nrecourse for recovery.\r\nThe trojan’s main functionality is to load a dex file and perform malicious activities like inspecting the\r\nnotifications or sending SMS messages to premium subscriptions. While Google Play have worked hard to bring\r\nalerts to the mobile user, Joker counts on the distracted nature of mobile alerts and social engineering for them to\r\nbe accepted or even ignored.\r\nThe malicious activities can be divided into the following categories:\r\n1. Decode or decrypt the strings to get the first stage URL.\r\n2. Download the payload dex file from the above URL.\r\n3. Load the payload dex file using reflection techniques to invoke the DexClassLoader constructor.\r\n4. The dex file performs malicious activities and communicates with the C\u0026C server.\r\nIn the following flowchart, the full attack chain is shown.\r\nhttps://web.archive.org/web/20210714010827/https://blog.zimperium.com/joker-is-still-no-laughing-matter/\r\nPage 2 of 4\n\nThese are the four pivot points each Joker sample uses, and it employs several evasion techniques to remain\r\nundetected. Most often, Joker is disguised as commonly downloaded applications like games, wallpapers,\r\nmessengers, translators, and photo editors.\r\nWhat Has Changed Since September 2020\r\nThe malicious developers behind the current, most advanced forms of Joker are taking advantage of legitimate\r\ndeveloper techniques to try and hide the actual intent of the payload from traditional, legacy-based mobile security\r\ntoolsets. They are starting by using the common framework Flutter to code the application in a way that is\r\ncommonly seen by traditional scanners. Due to the commonality of Flutter, even malicious application code will\r\nlook legitimate and clean, whereas many scanners are looking for disjointed code with errors or improper\r\nassemblies.\r\nThe malicious developers are embedding Joker as a payload that can be encrypted in different ways, either a .dex\r\nfile xored or encrypted with a number, or through the same .dex file as before, but hidden inside an image using\r\nhttps://web.archive.org/web/20210714010827/https://blog.zimperium.com/joker-is-still-no-laughing-matter/\r\nPage 3 of 4\n\nsteganography. Both manners are obfuscating the intent of the payload from the legacy scan and mobile security\r\ntools.\r\nAfter successful installation, the application infected with Joker will run a scan using Google Play APIs to check\r\nthe latest version of the app in Google Play Store. If there is no answer, the malware remains silent since it can be\r\nrunning on a dynamic analysis emulator. But if the version found in the store is older than the current version, the\r\nlocal malware payload is executed, infecting the mobile device. If the version in the store is newer than the current\r\none, then the command and control servers are contacted to download an updated version of the payload.\r\nJoker Trojan’s never seen before behavior includes URL shorteners, checking the current time against a hardcoded\r\nlaunch-time, image infected using steganography on legit cloud file hosting services, and a combination of native\r\nlibraries to decrypt the offline payload from the APK’s assets or connect to C\u0026C for the payload.\r\nJoker vs. Zimperium\r\nZimperium zIPS customers are protected against 100% of these Joker variants analyzed with our zero-day, on-device z9 Mobile Threat Defense machine learning engine model and static analysis.\r\nAs a standard protocol, the Zimperium zLabs team checks new malware samples against not only the current\r\nmachine learning model but past ones as well. In the case of Joker, Zimperium zIPS customers have been\r\nconstantly protected against these latest variants of this aggressive Android trojan.\r\nTo ensure your Android users are protected from the Joker malware, we recommend a quick risk assessment.\r\nInside zConsole, admins can review which apps are side-loaded onto the device that could be increasing the attack\r\nsurface and leaving data and users at risk.\r\nAbout Zimperium\r\nZimperium, the global leader in mobile security, offers the only real-time, on-device, machine learning-based\r\nprotection against Android, iOS, and Chromebook threats. Powered by z9, Zimperium provides protection against\r\ndevice, network, phishing, and malicious app attacks. For more information or to schedule a demo, contact us\r\ntoday.\r\nSource: https://web.archive.org/web/20210714010827/https://blog.zimperium.com/joker-is-still-no-laughing-matter/\r\nhttps://web.archive.org/web/20210714010827/https://blog.zimperium.com/joker-is-still-no-laughing-matter/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://web.archive.org/web/20210714010827/https://blog.zimperium.com/joker-is-still-no-laughing-matter/"
	],
	"report_names": [
		"joker-is-still-no-laughing-matter"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434678,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c7a07dbb3adb56ef435da58bde1c865488875f52.pdf",
		"text": "https://archive.orkl.eu/c7a07dbb3adb56ef435da58bde1c865488875f52.txt",
		"img": "https://archive.orkl.eu/c7a07dbb3adb56ef435da58bde1c865488875f52.jpg"
	}
}