Bleeping Computer and Check Point researchers reported that the threat actors behind the Joker Android malware have once again been successful in slipping financial fraud malware into apps on the Google Play Store without being detected during Google’s app review process. The Joker malware is now being used for a type of mobile billing fraud that subscribes its victims to premium services without their knowledge or consent. The new variant slipped past the Play Store’s security system by hiding its malicious payload as a dex file hidden in the form of Base64 encoded strings within the AndroidManifest files of seemingly benign apps. The AndroidManifest XML file is used to provide Android build tools, the Android OS, and the Google Play Store with essential info about the apps. This allows the malware to avoid detection while being analyzed during the submission process and to eliminate the need to connect to a command and control server. So far, 11 new apps have been reported to Google as infected with Joker and Google is removing the apps when reported.