Security researchers recently discovered a new Android Trojan called “Joker”. A total of 24 applications were affected, with a total download of more than 472,000 times. The Trojan is hidden in the advertising framework used by the infected application, can impersonate the user to interact with the advertising website, and can also collect the victim’s device information, contact list, and SMS messages.
The researchers analyzed and found that the Joker trojan not only used a variety of technical means to avoid static analysis but also contacted the hacker’s command and control server to accept commands or upload stolen information. In addition, Joker’s program code has special settings that set the attack target to Android users in specific countries (including but not limited to Australia, France, Germany, India, the UK, and the U.S).
The Trojan will decide whether to attack based on the SIM card area code of the target device. “Most of the discovered apps have an additional check, which will make sure that the payload won’t execute when running within the US or Canada.”
Currently, Google has removed all affected applications.