Malicious Android App Posed As QR Scanner To Launch Joker Malware That Steals SMS Data

Researchers uncovered a new age of Android malware project” Joker” which impersonated a QR scanner to target Android users.

Joker malware brings functionalities of both Spyware and Trojan capabilities, and quite advanced remain undetected through the traditional malware analysis approaches.

This variation was recognized through a lead from a Tweet, and the app was present in the Google Play Store till July 05, 2021, also validated that the app was an updated variation of Joker that downloads additional malware to the infected device to sign up for the premium services without user understanding.

The malware was initially discovered from the Google play store where their assailant conceals a genuine application that postured as Free QR Scanner uploaded with the developer name “Marcelo Bruce”.

Joker Malware Infection Process

Mitigation for this sort of Malware.

When the file gets set up and introduced by the victim, the harmful app develops a connection to the Command and control server drops a trojan.

According to the Cyble report, “The malware starts malicious behavior from the application subclass, qr.barcode.scanner.ScannerApp. This class is carried out initially when the user begins the application.”

During the infection procedure, scientists observed that the opponents utilizing a class called “Ferry” that has the ability of reading notifications gotten by the victims device consisting of text messages, and cancel them without user knowledge.


Joker malware authors keep customizing the application to evade the play protect detection, and those changes including the execution techniques, and using different payload obtaining strategies.

Keep your anti-virus software application upgraded to identify and eliminate harmful software application..
Uninstall the application if you find this malware on your gadget..
Keep your system and applications upgraded to the newest variations..
Usage strong passwords and enable two-factor authentication..
Install and download software application only from trusted sites and official app stores..
Confirm the authorizations and advantages requested by apps before approving them access..

Malicious URL.

These Unknown subscriptions charging victims on a daily, weekly, or regular monthly basis, consequently allowing assaulters to acquire financial advantages..

” The application has a number of Wireless Application Protocol( WAP) subscription URLs for its billing service. WAP billing is a payment method for buying material from sites, with the charges being directly included to the mobile phone bill. Using this billing service, assaulters can target countries including the U.S., the U.K., India, Thailand, and Vietnam”.


Joker malware ultimately steals Text messages, device info, contact details likewise efficient in stealing cash Stolen from the users bank account without the victims knowledge.

hxxp:// onemoretime.oss-us-east-1. Interesting.
hxxp:// onemoretime.oss-us-east-1. Interesting.
hxxp:// onemoretime.oss-us-east-1. Interesting.
hxxp:// svhyqj/mjcxzy Interesting.
hxxp:// svhyqj/bwytmw Interesting.

IOC type — SHA256.

Attackers adjust the standard evasion method of Dynamic Code Loading (DCL) and reflection that assists assailants to drop the harmful file on the victims gadget.