In a blog post, the company's researchers Aviran Hazum, Bogdan Melnykov and Israel Wernik said this version of Joker had the capability of downloading additional malware to a device it infected and the new code subscribed users to premium services without their knowledge.
Joker, one of the most prominent types of malware for Android, used small changes in its code to constantly reappear in the Play Store, using its Notification Listener service, part of the original malware, and a dynamic dex file loaded from its command and control server to register unwitting users.
A screenshot of the Joker application on Google Play. Courtesy Check Point
The malware hid the dex file while still it would load, a technique well-known to Windows malware developers, the Check Point trio said. The new variant hid the file as a base64 encoded string, ready to be decoded and loaded.