July 2025 • Advanced Reverse Engineering & Threat Analysis
Joker is a notorious Android malware family that first emerged in 2017, notorious for its sophisticated methods of fraud and unauthorized subscription activation. Exploiting vulnerabilities in the Google Play ecosystem, Joker masquerades as legitimate apps to infect devices, exfiltrate sensitive data, and execute background transactions—often without the user’s consent. This blog post provides an in-depth technical analysis for reverse engineers and security researchers, detailing Joker’s origin, infection methods, payload activities, low-level detection techniques, and associated indicators of compromise (IOCs).
Joker was initially discovered on the Google Play Store, cleverly disguising itself as a benign utility or entertainment application. The malware is believed to be crafted by an elusive group whose true identity remains unconfirmed; however, several analyses have hinted at its ties to financially motivated cybercriminals operating from Eastern Europe. Joker’s developers continuously update the malware, evading automated detection and leveraging a multi-stage payload delivery mechanism.
Key points: - First appearance: 2017 - Distribution channel: Official app stores (Google Play) and third-party markets - Primary activity: Premium subscription fraud via SMS and in-app actions
Joker employs multiple techniques to infect Android devices:
Social Engineering & Masquerading:
Joker apps are designed to look and behave like common utilities (e.g.,
photo editors, media players), tricking users into
installation.
Dynamic Payload Loading:
After installation, the malware contacts its command and control
(C&C) server to download additional payloads. This multi-stage
delivery involves:
libphotoset.so) decrypts
and loads a secondary DEX payload using Android’s
DexClassLoader.Network Manipulation:
Joker may manipulate network settings to ensure that premium SMS
transactions are conducted over cellular data rather than Wi‑Fi. For
example, it uses Android’s ConnectivityManager to force the
process onto the mobile network.
Once active, Joker performs several malicious activities:
Premium Subscription Fraud:
The primary objective is to subscribe the victim to premium services
without their knowledge. It does this by:
Data Exfiltration:
Joker collects sensitive device information (IMEI, SIM operator codes,
contact lists) to further tailor its fraudulent transactions and evade
detection.
Dynamic Code Execution:
Joker’s multi-stage design means that an initial lightweight payload
downloads and decrypts a larger, more capable secondary payload which
then:
Reverse engineers have identified several low-level details critical for detecting Joker:
public byte[] decryptPayload(String encryptedPayload, byte[] key) {
try {
SecretKeySpec secretKey = new SecretKeySpec(key, "AES");
IvParameterSpec iv = new IvParameterSpec(key); // Simplistic; for illustration only
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.DECRYPT_MODE, secretKey, iv);
return cipher.doFinal(encryptedPayload.getBytes(StandardCharsets.UTF_8));
} catch(Exception e) {
throw new RuntimeException(e);
}
}The malware dynamically loads a native library (e.g., libphotoset.so) to offload critical operations such as payload decryption:
DexClassLoader classLoader = new DexClassLoader(payloadPath, optimizedDirectory, null, context.getClassLoader());
Class<?> dynamicClass = classLoader.loadClass("com.joker.DynamicPayload");
Method initMethod = dynamicClass.getMethod("initialize", Context.class);
initMethod.invoke(null, context);Enforcing Mobile Network Usage:
To ensure that transactions occur over the mobile network (which may be less secure), Joker includes routines similar to the following:
private void requestMobileNetwork() {
try {
NetworkRequest.Builder builder = new NetworkRequest.Builder();
builder.addCapability(NetworkCapabilities.NET_CAPABILITY_INTERNET);
builder.addTransportType(NetworkCapabilities.TRANSPORT_CELLULAR);
connectivityManager.requestNetwork(builder.build(), new NetworkCallback() {
@Override
public void onAvailable(Network network) {
// Bind process to mobile network to avoid Wi-Fi interference
ConnectivityManager.setProcessDefaultNetwork(network);
}
});
} catch (Exception e) {
// Handle exception gracefully
}
}Joker registers a broadcast receiver to capture incoming SMS messages. This allows it to extract OTP codes needed for fraudulent transactions.
The malware uses embedded WebViews to load carrier billing pages and programmatically execute JavaScript, automating the subscription process.
Security researchers have identified several IOCs associated with Joker:
Below is an example YARA rule designed to detect Joker malware based on unique string patterns and network indicators:
rule Joker_Malware_Signature {
meta:
description = "Detects Joker Android malware based on unique network indicators and embedded strings."
author = "CERT Polska"
date = "2025-02-14"
strings:
$domain1 = "kamisatu.top"
$domain2 = "forga.oss-me-east-1.aliyuncs.com/Kuwan"
$jokerTag = { 4A 6F 6B 65 72 } // ASCII for "Joker"
condition:
any of ($domain*, $jokerTag)
}To defend against Joker malware, consider the following mitigation strategies:
Educate users about downloading apps only from trusted sources and to be cautious of apps requesting excessive permissions.
Use robust mobile threat defense solutions and automated app screening to detect and block suspicious behavior.
Monitor network traffic for anomalies such as unexpected domain requests or encrypted payload exchanges.
Ensure that devices and security software are updated to the latest versions to mitigate known vulnerabilities.
Deploy dynamic analysis environments (sandboxing) that can reveal Joker’s multi-stage payload behavior.
Joker remains one of the most sophisticated Android malware families due to its dynamic payload delivery, obfuscation techniques, and ability to conduct premium subscription fraud. Its multi-stage architecture and adaptive network manipulation strategies pose significant challenges for detection and mitigation. By understanding the low-level operations—ranging from AES decryption routines to dynamic code loading—security researchers can develop more effective detection rules and countermeasures.
Continued collaboration and information sharing, including detailed YARA rules and IOC dissemination, are crucial in defending against such evolving threats.