Researchers Find Joker & Haken Malware Returning To Play Store

Android Virus Malware Cyberthreat AH 2019

Two unrelated but concerning malware families, dubbed Joker and Haken, have once again appeared in the Google Play Store. That’s according to researchers at Check Point who recently discovered the malware. According to researchers, both families continue to evolve to bypass Google’s security policies and checks.

Of course, the big story here is the return of a more virulent new variant of the “Joker” malware family. Also referred to as “Bread,” Google started tracking the billing fraud malware way back in 2017. According to the search giant, Joker utilizes just about every trick in the book to go undetected. It even goes so far as to disguise itself expressly for the purpose of landing on the Google Play Store.

Summarily, Joker utilizes geolocation data to discover premium services available to a given phone number’s region. Then it signs up for those services, using shady tactics to first receive and use verification codes before deleting the SMS messages. That way, the user is never aware of the transaction and is left paying bills for premium services.


Those can’t be easily identified and, as a result, can be difficult to unsubscribe from.

Check Point researchers discovered a new variant of the malware using custom-created signatures. The evidence suggests that Joker is still evolving and still being pushed to end-users on Android. Check Point revealed the problem to Google way back on January 3. The company removed the offending malware from the Play Store just three days later.

Joker is bad enough but Haken is still alive and well in the Play Store too

It isn’t unusual for Google to remove apps from the Play Store due to malware. Both ad fraud and billing fraud are among the more prominent reasons behind that happening. And it has continued to happen even recently.


Joker is a more serious threat since, according to Check Point, it also acts like spyware. But researchers also separately discovered a continued rise of the “Haken” malware family while tracking another malware referred to as “BearCloud.”

BearCloud and Haken are similar in that they both function as clickers. Haken may be the more concerning of the two, however despite recent increases in the BearCloud activity. That’s both because of how it works and its ability to slip past Google’s efforts to keep malware out of its Play Store.

BearCloud utilizes a more indirect route, acting via web-view and malicious JavaScript to click on ads. Haken uses native resources and code, injecting itself into Facebook and AdMob libraries. Then it communicates with an external remote server to get its configuration.


Haken utilizes its backdoor entry into Ad-APKs to mislead users with false ads and earn ad revenue. It also uses permissions to ‘mimic’ user clicks on those ads and can burrow into more apps than just Facebook.

What can be done about these problems?

Check Point indicates that Joker has found its way back onto the Google Play Store nearly every week since it was initially launched. So the problem appears to be that it is continuing to evolve more quickly than can be followed by Google. This time, Joker avoided appearing for users in the US or Canada but it is still a large problem elsewhere.

Despite that Joker, Haken, and BearCloud were spotted in the official Play Store, Check Point still suggests users only download apps from the official marketplace as the first line of defense. It also points out that devices that are kept up to date in terms of both apps and the OS are less likely to be vulnerable to malware. Finally, users should keep a security solution installed to monitor more actively for threats.


As of this writing, apps that were affected by the malware have all been taken down.