Joker malware apps still stealing money and contacts in Google Play store

(Image credit: Shutterstock)

It's baaaaack. The notorious and persistent Joker malware has infected another 17 apps in the Google Play Store. The estimated 120,000 people who installed those apps may have been fraudulently signed up the to premium services without their permission and had their contact lists and SMS text messages stolen.

All the Joker-infected apps have been removed from Google Play, and Google has remotely disabled the apps on users' phones. But if you downloaded any of these apps, you'll still need to manually delete them from your devices.

These 17 apps were spotted by Zscaler ThreatLabZ, which put up a blog post about its finding last week and said most of the apps were PDF scanners, messaging apps or photo editors. One of the apps was listed twice by Zscaler, which could mean two different apps had the same name.

  • All Good PDF Scanner
  • All Good PDF Scanner
  • Blue Scanner
  • Care Message
  • Desire Translate 
  • Direct Messenger 
  • Hummingbird PDF Converter - Photo to PDF
  • Meticulous Scanner
  • Mint Leaf Message-Your Private Message 
  • One Sentence Translator - Multifunctional Translator
  • Paper Doc Scanner
  • Part Message
  • Private SMS
  • Style Photo Collage
  • Talent Photo Editor - Blur focus
  • Tangram App Lock
  • Unique Keyboard

All of these malicious apps are detected by the best Android antivirus apps, so please install and use one of these if you aren't doing so already.

"We recommend paying close attention to the permission list in the apps that you install on your Android device," Zscaler's Viral Gandhi wrote in the ThreatLabZ blog post. "Always watch out for the risky permissions related to SMS, call logs, contacts, and more. Reading the comment or reviews on the app page aslo helps identify compromised apps."

How Joker gets the last laugh

Joker isn't the worst Android malware out there, but it does try to put a substantial dent in your wallet and your privacy. It evades Google Play's security screening by presenting itself as a harmless app, and doesn't actually do anything malicious until some after it's first installed on a user's device.

But once the malicious part is up and running, Joker will sign you up for costly subscriptions that use the outmoded Wireless Application Protocol (WAP) billing mechanism, which dates back to the early 2000s when few mobile phones could load websites.

The trick with WAP billing is that you don't see the bills right away. They're not charged to your credit card. Instead, charges are tacked on your phone bill, where you might not notice a few extra bucks over the usual amount.

Joker also steals your phone's contact list, doubtless to spam itself out to even more people, and might also have a look at your saved text messages.

If this sounds familiar, it's because Google removed another six Joker-infected apps from the Play Store earlier this month. Another 11 apps were booted from Google Play in July. And just over a year ago, a full two dozen Joker-harboring apps were purged in the malware's grand debut.

That makes 58 different Joker-infected apps that have appeared in Google Play since the beginning of 2019. They won't be the last.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.