detection icon

Short bio

Android/Trojan.Spy.Joker.gfth is Malwarebytes’ detection name for a family of Android apps that were found to be fleeceware.


Android/Trojan.Spy.Joker.gfth bombards the victim with popups telling them they have won a prize and need to claim it straight away. When the user accepts the offer, the malware redirects them to a geo-specific website where they have to submit their phone number for “verification”. Instead of any verification taking place, the user is actually signed up for a premium SMS service.

Type and source of infection

Android/Trojan.Spy.Joker.gfth is fleeceware. Fleeceware is a type of malware for mobile devices that comes with hidden, excessive subscription fees. These applications take advantage of users who do not know how to cancel a subscription by charging them long after they have deleted the application. Android/Trojan.Spy.Joker.gfth was initially distributed through both Google Play and third-party application stores. After researchers reported the apps to Google, the malicious applications were removed from the Google Play store. However, the malicious applications are still available on third-party app stores


Some users may get suspicious by an extra charge on their phone bill, it may take others months to notice. If and when they notice they need to find out how to cancel the subscription and there is no chance of getting their money back.


Malwarebytes for Android detects Android/Trojan.Spy.Joker.gfth and can remove it before it tricks users into submitting their phone number.


These apps can be uninstalled using the mobile devices uninstall functionality, but these apps were made available under many different names. That is where Malwarebytes for Android can help you, by identifying these apps and removing them.