Joker malware infected 538,000 Huawei Android devices

Pierluigi Paganini April 11, 2021

More than 500,000 Huawei users have been infected with the Joker malware after downloading apps from the company’s official Android store.

More than 500,000 Huawei users were infected with the Joker malware after they have downloaded tainted apps from the company’s official Android store.

The fight to the Joker malware (aka Bread) begun in September 2019 when security experts at Google removed from the official Play Store 24 apps because they were infected with a new spyware tracked as “the Joker.

The Joker malware is a malicious code camouflaged as a system app and allows attackers to perform a broad range of malicious operations, including disable the Google Play Protect service, install malicious apps, generate fake reviews, and show ads.

The spyware is able to steal SMS messages, contact lists, and device information and to sign victims up for premium service subscriptions.

Experts from antivirus firm Doctor Web discovered ten apps in AppGallery that were containing the malicious code.

“Doctor Web’s virus analysts have uncovered the first malware on AppGallery―the official app store from the Huawei Android device manufacturer.” reads the post published by Dr. Web. “They turned out to be dangerous Android.Joker trojans that function primarily to subscribe users to premium mobile services. In total, our specialists discovered that 10 modifications of these trojans have found their way onto AppGallery, with more than 538,000 users having installed them.”

Upon downloading and executing the apparently harmless apps, they worked as users would have expected to avoid raising suspicion.

The malicious apps were camouflaged as virtual keyboards, a camera app, a launcher, an online messenger, a sticker collection, coloring programs, and a game. 8 of these apps were developed by Shanxi kuailaipai network technology co., ltd, the remaining 2 by the developer 何斌.

Below the list of apps and packages discovered by the researchers:

Detection nameSHA-1Application namePackage nameConfiguration
Android.Joker.5312349b2c0238dcc52e072500ea402128de0a216cfSuper Keyboardcom.nova.superkeyboardhxxps://superkeyboard.oss-ap-southeast-1.aliyuncs.com/
Android.Joker.5310cfb4dd79fcfda7ecfcab7fd238f9f73ab8543d8Happy Colourcom.colour.syuhgbvcffhxxps://happycolor.oss-ap-northeast-1.aliyuncs.com/
Android.Joker.531443c73e1ee2cc7c9301ac4dfe14411762689baf5Fun Colorcom.funcolor.toucheffectshxxps://funcolortoucheffects.oss-ap-southeast-2.aliyuncs.com/
Android.Joker.531ddebecf001fd0c7ce03bf4a3eb7b6abe779f0d2dNew 2021 Keyboardcom.newyear.onekeyboardhxxps://new2021keyboard.oss-ap-south-1.aliyuncs.com/
Android.Joker.594f1b49a444f554bb942fd8f5a9ff2a212d8db6247Camera MX – Photo Video Cameracom.sdkfj.uhbnji.dsfeffhxxps://cameramx-photovideocamera.oss-cn-wulanchabu.aliyuncs.com/
Android.Joker.5949dcc00513144612fdfcdb57278b2a54654b996ecBeautyPlus Cameracom.beautyplus.excetwa.camerahxxps://beautypluscamera.oss-ap-northeast-1.aliyuncs.com/
Android.Joker.6583950c89eb27c973dce8c1c0ea3ae30baa0f7544eColor RollingIconcom.hwcolor.jinbao.rollingiconhxxps://colorrollingicon.oss-cn-huhehaote.aliyuncs.com/
Android.Joker.6599d2337047ca59d1375c898cf7d0361fe56c3576cFunney Meme Emojicom.meme.rouijhhklhxxp://funneymemeemoji.oss-ap-southeast-5.aliyuncs.com/
Android.Joker.66057148c6e040fb15723e5ca040740ae8901fd2daeHappy Tappingcom.tap.tap.dueddhxxp://happytapping.oss-cn-qingdao.aliyuncs.com/
Android.Joker.662fb184efe017debc57eba118ab7aee17fd946e1ecAll-in-One Messengercom.messenger.sjdoifohxxps://allinonemessenger.oss-cn-shenzhen.aliyuncs.com/
Joker malware Huawei_AppGallery_01.1

Once the malware is executed it connects to the C&C server to receive the necessary configuration and download and launch one of the additional components. The component automatically subscribed the Android device users to premium mobile services. The apps request access to notifications to intercept incoming SMS from premium services with subscription confirmation codes.

The same apps set the limit on the number of successfully activated premium services for each user. By default, the limit is set to 5, but it can be increased or decreased upon receiving the configuration from the C&C server.

“The downloaded component is responsible for automatically subscribing Android device users to premium mobile services. In addition, the decoy apps request access to notifications that they will later need to intercept incoming SMS from premium services with subscription confirmation codes.” continues the report. “The same apps set the limit on the number of successfully activated premium services for each user. By default, the limit is set to 5, but it can be increased or decreased upon receiving the configuration from the C&C server.”

Doctor Web reported to Huawei its findings, which quickly removed them from AppGallery. Huawei users who have already installed the malicious apps have to manually remove them.

The experts shared a list of indicators of compromise for the above malicious apps.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Huawei apps)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment