Rascals are always sociable, and the chief sign that a man has any nobility in his character is the little pleasure he takes in others company. Arthur Schopenhauer

Joker is a category of toll_fraud malware initially identified in 2017 whose main goal is to intercept OTP’s and subscribe users to premium services by performing clicks.

This family uses various techniques to perform malicious activities, however the base code remains the same. The malicious code responsible for performing subscription activities are downloaded externally by connecting to a malicious links. These payloads can be downloaded at a time or in multiple stages depending on the cloaking techniques used which may be implemented on client side or server side. These techniques help the malware developer from being detected by antivirus during execution of payload.

The subscription process will be invisible to user as it happens automatically by the malware. An OTP may or may not be required depending on the sim operator and the country the malware targets. Reverse engineering of Joker Malware