My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets



Added to the Dr.Web virus database: 2021-01-27

Virus description added:


A trojan application for devices running the Android operating system. It is designed to automatically subscribe users to premiums mobile services. It is spread under the guise of harmless apps and games that appear legitimate, work as intended and do not show any suspicious activity. The trojan has a modular structure, with additional modules downloaded from the Internet. The list of known modifications of the trojan, along with information about indicators of compromise, are available in the link at the end of this description.

Operating routine

Upon launching, Android.Joker.531 opens the link like hxxps://superkeyboard[.]oss-ap-southeast-1[.]aliyuncs[.]com/201028120701/" + versionName + ".txt to download the configuration from the remote server, where versionName is the current version of the trojan application.

An example of the server response:


Using the link from the sdkUrl parameter from the received configuration, the trojan downloads the encrypted payload (Android.Joker.242.origin), which it then decrypts and executes.

Next, Android.Joker.531 requests the permission to work with notifications. If permission is granted by the user, the trojan begins tracking notifications about incoming SMS. When a notification appears, the malware sends a broadcast message with the SEND_APP_NOTIFICATION_ACTION intent, adding android.text and android.title to the extras. This way, Android.Joker.531 tries to intercept incoming confirmation codes (PINs) sent from premium services that the Android.Joker.242.origin module subscribes the victim to. If successful, the module receives the code and completes the subscription.

Moreover, having access to the contents of notifications about incoming SMS not only allows Android.Joker.531 to search for PINs, but also obtain information about all other SMS. As a result, users risk losing money on premium services they did not want and becoming victim to data leaks.

Indicators of compromise

News about the trojan

Curing recommendations


  1. If the mobile device is operating normally, download and install Dr.Web for Android Light. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web для Android Light onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android