Posted by Evina on

​Evina questioned one of our security analyst, Maxime INGRAO, Security Analyst to share with you our expertise about Joker, the malware everyone heard / speaks about.

What is Joker? 
Joker is a malware. A malicious app making purchases on carrier billing. 

How did people get infected by Joker? 
Joker is the name of a malware, a piece of code that has been found in numerous apps distributed on the Google Play Store. Most of them are utilities apps, picture filtering apps, wallpaper apps even anti-virus apps!

What type of malware is Joker?
Well, it is a very comprehensive malware. It knows how to read and write SMS, and how to steal information and contact list from the user. It targets specific and numerous countries at once. Joker is the perfect application of what is fraud on apps.

The code targeting the countries

Were Evina’s clients victims?
No. While several anti-fraud solutions are based on blacklist, EVINA DCBprotect is different. We don’t rely on a list of malicious app, we detect fraud types, and block fraud mechanisms. In other words, we search for the fraud’s DNA, not only the envelop. Evina detected and blocked 5M+ payment attempts/transactions labelled as the Joker virus, and our clients have been informed right away.

How is it possible to have malicious apps displayed in the Google Play Store?
There are several techniques… Regarding Joker malware, the fraudulent code is downloaded on a server, then written after the app launching, so when Google Play get the app for checking, it doesn’t see the fraudulent code.

So, how did EVINA DCBprotect detect it? 
The mechanism used by Joker had been identified in other malware through our mobile honeypot. Our honeypot mobile is a system that constantly installs malicious applications, decompile and analyze them to give us behavioral patterns to identify and block.

What is worth knowing about this malware? 
First of all, the malware makes the web page invisible to victims and clicks on the purchase button without victims knowing. In order to hide the attack, the malware modifies the x-requested-with header. Last but not least, the app grabs phone numbers and compares them to a suspect numbers database created by the fraudster to potentially not execute the attack.

The code part checking to avoid execution on specific numbers

A final word?
Joker is doing the buzz but there has been and there are still a lot of more harmful and sophisticated malware targeting carrier billing. We are expert in carrier billing and 100% focus on anti-fraud. In the last 24 hours, we protected our clients from 91 358 fraudulent transactions.

Who is Maxime INGRAO?

Security Analyst at Evina, Maxime leads malware research, reverse engineering and security web conception. Hacking passionate, Maxime is dedicated to cybersecurity. As a teenager, he created a community website gathering 1500+ members around cybersecurity. He started his professional path in web development before fully working in cybersecurity.

You should also read


We give access to our clients to the world’s top talent to help them manage today’s global mobile threats and to ensure their...

Read more

A new Trojan family is targeting carrier billing and advertising. After Joker, Venus malware is spreading fast: since October, already 8 apps...

Read more