More than 500,000 Huawei users were infected with the Joker malware after they have downloaded tainted apps from the company’s official Android store.
The fight to the Joker malware (aka Bread) begun in September 2019 when security experts at Google removed from the official Play Store 24 apps because they were infected with a new spyware tracked as “the Joker.”
The Joker malware is a malicious code camouflaged as a system app and allows attackers to perform a broad range of malicious operations, including disable the Google Play Protect service, install malicious apps, generate fake reviews, and show ads.
The spyware is able to steal SMS messages, contact lists, and device information and to sign victims up for premium service subscriptions.
Experts from antivirus firm Doctor Web discovered ten apps in AppGallery that were containing the malicious code.
“Doctor Web’s virus analysts have uncovered the first malware on AppGallery―the official app store from the Huawei Android device manufacturer.” reads the post published by Dr. Web. “They turned out to be dangerous Android.Joker trojans that function primarily to subscribe users to premium mobile services. In total, our specialists discovered that 10 modifications of these trojans have found their way onto AppGallery, with more than 538,000 users having installed them.”
Upon downloading and executing the apparently harmless apps, they worked as users would have expected to avoid raising suspicion.
The malicious apps were camouflaged as virtual keyboards, a camera app, a launcher, an online messenger, a sticker collection, coloring programs, and a game. 8 of these apps were developed by Shanxi kuailaipai network technology co., ltd, the remaining 2 by the developer 何斌.
Below the list of apps and packages discovered by the researchers:
|Detection name||SHA-1||Application name||Package name||Configuration|
|Android.Joker.531||ddebecf001fd0c7ce03bf4a3eb7b6abe779f0d2d||New 2021 Keyboard||com.newyear.onekeyboard||hxxps://new2021keyboard.oss-ap-south-1.aliyuncs.com/|
|Android.Joker.594||f1b49a444f554bb942fd8f5a9ff2a212d8db6247||Camera MX – Photo Video Camera||com.sdkfj.uhbnji.dsfeff||hxxps://cameramx-photovideocamera.oss-cn-wulanchabu.aliyuncs.com/|
|Android.Joker.659||9d2337047ca59d1375c898cf7d0361fe56c3576c||Funney Meme Emoji||com.meme.rouijhhkl||hxxp://funneymemeemoji.oss-ap-southeast-5.aliyuncs.com/|
Once the malware is executed it connects to the C&C server to receive the necessary configuration and download and launch one of the additional components. The component automatically subscribed the Android device users to premium mobile services. The apps request access to notifications to intercept incoming SMS from premium services with subscription confirmation codes.
The same apps set the limit on the number of successfully activated premium services for each user. By default, the limit is set to 5, but it can be increased or decreased upon receiving the configuration from the C&C server.
“The downloaded component is responsible for automatically subscribing Android device users to premium mobile services. In addition, the decoy apps request access to notifications that they will later need to intercept incoming SMS from premium services with subscription confirmation codes.” continues the report. “The same apps set the limit on the number of successfully activated premium services for each user. By default, the limit is set to 5, but it can be increased or decreased upon receiving the configuration from the C&C server.”
Doctor Web reported to Huawei its findings, which quickly removed them from AppGallery. Huawei users who have already installed the malicious apps have to manually remove them.
The experts shared a list of indicators of compromise for the above malicious apps.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, Huawei apps)