Beware the Joker malware. Image supplied

Beware of the Joker: Google removes 17 malicious apps from Play Store

The Joker malware, also known as Bread, is one of the most persistent threats Google has dealt with since 2017.


Beware the Joker malware. Image supplied

Google has removed 17 android applications from the official Play Store this week. The 17 apps infected with the Joker malware — aka Bread — were detected by security researchers from Zscaler.

Zscaler security researcher Viral Gandh said, “This spyware is designed to steal SMS messages, contact lists, and device information, along with silently signing up the victim for premium wireless application protocol (WAP) services.”


The 17 malicious apps were uploaded on the Play Store this month. They were downloaded more than 120,000 times before being detected.

• All Good PDF Scanner
• Mint Leaf Message – Your Private Message
• Unique Keyboard – Fancy Fonts and Free Emoticons
• Tangram App Lock
• Direct Messenger
• Private SMS
• One Sentence Translator – Multifunctional Translator
• Style Photo Collage
• Meticulous Scanner
• Desire Translate
• Talent Photo Editor – Blur focus
• Care Message
• Part Message
• Paper Doc Scanner
• Blue Scanner
• Hummingbird PDF Converter – Photo to PDF
• All Good PDF Scanner

Google removed the apps from the Play Store and used the Play Protect service to disable the apps on infected devices. Users still need to manually intervene and remove the apps from their devices.

The recent take down also marks the third such action from Google’s security team against a batch of Joker-infected apps over the past few months.

Google removed six such apps at the start of the month after they had been spotted and reported by security researchers from Pradeo.

Google in July also removed another batch of Joker-infected apps discovered by security researchers from Anquanke. The batch had been active since March and had managed to infect millions of devices.


The way these infected apps usually manage to sneak their way past Google’s defences and reach the Play Store is through a technique called “droppers” where the victim’s device is infected in a multi-stage process. The technique is quite simple but hard to defend against.

Malware authors begin by cloning the functionality of a legitimate app and uploading it on the Play Store. This app is fully functional, requests access to dangerous permissions but also does not perform any malicious actions.

Google’s security scans don’t pick up the malicious code because the malicious actions are usually delayed by hours or days.

The app eventually downloads and drops other components or apps on a user’s device that contain the Joker malware or other malware strains.


The Joker family, which Google tracks internally as Bread, has been one of the most ardent users of the dropper technique.

In January, Google published a blog post where it described Joker as one of the most persistent and advanced threats it has dealt with in the past years. Google said that its security teams had removed more than 1,700 apps from the Play Store since 2017.

Joker is far more widespread and was also found in apps uploaded on third-party Android app stores as well. Anquanke said it detected more than 13,000 Joker samples since the malware was first discovered in December 2016.

Users need to practise caution when installing apps with broad permissions in order to avoid getting infected.