top of page


Updated: Oct 27, 2022

Research conducted by Zimpierum research team has resulted in n the following results.

Joker Malware

The 'Joker' virus or malware is malicious code that hides in Android applications. Those applications are usually placed in the Google Play Store. That's enough for it to do some significant damage. This malware is classified as a 'spyware Trojan'. Their whole goal is to authorize operations without the user's knowledge or consent and create financial damage by doing so.

Joker trojan was discovered in 2017 and reappeared in 2021. It targets Android devices with updated capabilities. These trojans are malicious Android applications affiliated with premium services. Those previous forms of these attacks are similar goals such as financial gain, capturing mobile devices, etc.

Over 1,000 samples of the Joker malware were discovered in mid-2021, and these more recent variants had new security-bypassing techniques built into their code.


Gifthorse, discovered by Zimperium, has an aggressive mobile premium services campaign. These malicious applications were dispatched from Google Play and third-party application stores. The campaign is aimed at mobile users from more than 70 countries. GriftHorse is larvard, which is the malicious programmer. The campaign could change the language and content displayed based on the user's IP address. Between November 2020 and September 2021 (when it was publicly disclosed), GriftHorse infected over 10 million devices. Google removed the malicious applications upon reporting by the Zimperium zLabs team.


PhoneSpy was designed to spy on their victims constantly. Thus, it doesn't raise doubt when your use the phone and rub silently in the background. PhoneSpy gathered information such as personal data and phone data, including privet communication and photos. Zimperium teams identified 23 applications targeting South Korean citizens to date. Infracted devices are no longer under the control of the attackers.


FlyTrap is an active Android horse attack that we dubbed FlyTrap, which points to malicious parties operating in Vietnam. This hijacking campaign has been running since March 2021. These malicious applications were initially distributed through Google Play and third-party application stores. The threat actors take advantage of the fact that users commonly believe that logging into the right domain is always secure, irrespective of the application used. The targeted fields are popular social media platforms, and this campaign has effectively harvested social media session data of users from 144 countries. These compromised accounts can be used as a botnet for different purposes. For example, actors can boost the popularity of specific pages, sites, and products. In addition, these accounts can be utilized to spread misinformation or political propaganda. Once reported by the Zimperium zLabs team, Google removed the malicious applications.

3 views0 comments

Recent Posts

See All


bottom of page