⚠️ Overview

Joker (also tracked as Bread) is a family of Android malware categorized as a fleecing trojan, first documented by Check Point Research in June 2017. It is operated by an unidentified threat actor and primarily targets users of the Google Play Store to enroll them in unwanted premium subscription services without their knowledge.

🔧 Technical Capabilities

Joker typically propagates through malicious apps uploaded to the official Google Play Store, often disguised as utility tools, wallpapers, or messaging apps. Once installed, it communicates with a command-and-control (C2) server using HTTP or DNS exfiltration to retrieve configuration data and exfiltrate victim information such as SMS messages, contact lists, and device identifiers. The malware leverages JavaScript injection to intercept and auto-confirm premium SMS subscription requests, bypassing user consent mechanisms. Persistence is achieved through background services, broadcast receivers, and by registering as a default SMS handler. Evasion techniques include decrypting its payload on-the-fly, using obfuscated DEX files, and hiding code in encrypted assets to evade static analysis by Google Play Protect. Recent variants have also used Android's Accessibility Service to automate clicks and scrolls, further obfuscating its behavior.

📜 History & Notable Incidents

First identified in 2017, Joker has been continuously active, with Google removing over 1,700 apps associated with the family between September 2019 and October 2021 alone. A notable campaign in August 2020 saw 24 malicious apps downloaded over 472,000 times before removal. In July 2021, researchers at Malwarebytes documented a variant that used malicious WebView components to perform click fraud alongside subscription fraud. While no CVEs are directly attributed, the malware exploits the Android permission model and the lack of user awareness. No law enforcement actions specifically targeting the Joker operators have been publicly reported as of 2025.

🔍 Detection Indicators

Known file hashes for Joker samples include SHA-256 values such as 5a8c9b1f2e3d4c5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9 (example only — actual IOCs vary per campaign). Behavioral signatures include the installation of apps from non-Play sources after initial install, excessive SMS permission requests, and unusual HTTPS traffic to domains matching patterns like *[random].xyz or *[random].top. Network IOCs often involve C2 server IPs located in Eastern Europe or China. Registry keys or mutexes are not applicable on Android; however, persistent services named after common Android components (e.g., com.android.phone) are typical. User-Agent strings mimic standard Android browser versions to evade network detection.

☠️ Risk & Impact

Joker’s primary damage is financial: victims are charged unauthorized premium SMS fees ranging from $5 to $50 per incident, often recurring monthly until the service is canceled. It also exfiltrates sensitive data including SMS messages, contact lists, and device IMEI, which can be sold on dark web markets. The malware has affected a broad consumer base globally, with notable spikes in India, the Middle East, and Southeast Asia, as reported by Google’s 2020 Android Security & Privacy Year in Review.

🛡️ Mitigation

Mitigation relies on user education: only install apps from trusted developers, review app permissions critically, and keep Google Play Protect enabled. Google has deployed Play Integrity API checks and improved static analysis to flag Joker variants. Enterprises can use mobile threat defense (MTD) solutions like Lookout or Zimperium that detect malicious behavior in real time, and apply MITRE ATT&CK IDs T1417 (Automatic Execution) and T1426 (System Information Discovery) for Android detection rule development.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.