Joker Malware

Joker is spyware that collects SMS messages, contact lists, and information about infected devices. Additionally, Joker has the ability to monetize the malware infection by registering the device for premium services without the owner’s approval. In October 2022, Joker was the third most common mobile malware behind Anubis and Hydra.

Delivered via malicious apps available from the Google Play Store, this mobile malware has been detected in a variety of different applications, including messaging, health, and translation apps. Malicious apps are removed from the Play Store after detection, but they commonly rack up thousands of downloads, and the malware authors continue to distribute new apps laced with the malware.


Request a Demo Get the Security Report

The Threat

Once the Joker malware has been installed on a device, it commonly requests a number of different permissions. This allows the versatile malware to take various malicious actions on the device, including:

  • Monitoring SMS and Intercepting OTPs : Joker malware has the ability to read and send text messages, and read the content of app notifications. This allows the malware to collect and intercept One-time passwords (OTPs) which are a common but insecure form of implementing multi-factor authentication (MFA).  Joker can intercept OTPs, defeating MFA and enabling the attacker to take over the user’s accounts.
  • Taking Device Screenshots: Joker malware has the ability to take screenshots of infected mobile devices. This could allow the malware to access sensitive information that is not contained in SMS messages or notification content.
  • Making Phone Calls: Joker has the ability to perform calls from the infected device. This could allow the malware to engage in various types of fraud.
  • Collecting Contact Lists: Joker exfiltrates contact lists from infected devices. This contact list can be used to plan spear phishing attacks, especially as the malware can send SMS messages and make calls from the user’s number.
  • Accessing Device Information: Joker collects and exfiltrates various pieces of information about the infected device. This can help the attacker to plan further attacks on the device.
  • Registering for Premium Services: Joker can be used to register mobile device owners for premium services without their consent. This provides the attacker with a means of making money off of their control over the infected device.

How to Protect Against Joker Malware

Joker is a trojan that sneaks onto mobile devices by pretending to be a legitimate and desirable app on the Google Play Store. Some means of protecting against Joker malware infections include the following:

  • Enable Play Protect: Play Protect is a built-in security feature of the Google Play Store that inspects apps for malware before downloading them. Leaving Play Protect active provides a first line of defense against malware.
  • Investigate Apps Before Download: Malware developers commonly build their malware into desirable applications that are deployed on app stores. Before downloading an app, look at the reviews and investigate the company’s website to check if it’s legitimate.
  • Limit Downloaded Apps: Every app downloaded to a mobile device increases the probability that one is malware or contains an exploitable vulnerability. Limiting the number of apps installed on corporate devices restricts the digital attack surface.
  • Manage App Permissions: Mobile malware commonly requests various permissions, such as access to SMS messages or the phone. Restricting permissions — and not installing apps that request suspicious ones — reduce the threat of mobile malware.
  • Deploy Mobile Security Solutions: Mobile devices require enterprise-grade security just like the other devices that employees use to do their job. Mobile security solutions can block downloads of known malware and scan smartphones for suspicious or malicious apps.
  • Implement Strong MFA: Mobile malware is commonly designed to steal credentials that allow account takeover. Implementing strong MFA — which doesn’t use SMS OTPs that can be intercepted by Joker — helps to manage this risk.
  • Enforce Least Privilege: A compromised mobile device poses a security risk to corporate systems and applications. Enforcing least privilege limits the potential damage that a compromised device or user account can do.

Joker Trojan Malware Protection with Check Point

Joker poses a serious risk to user privacy and security on infected Android devices. However, it is only one among several types of malware used actively in attack campaigns. Learn more about the current mobile and malware threat landscape in Check Point’s 2023 Cyber Security Report.

Check Point Harmony Mobile provides comprehensive protection for corporate mobile devices. With access to threat intelligence from Check Point ThreatCloud, Harmony Mobile has visibility into the latest cyberattack campaigns targeting mobile devices. Learn more about how Harmony Mobile can secure your organization against mobile malware like Joker by signing up for a free demo today.

This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.