According to the information, more than 500,000 Huawei users downloaded apps infected with Joker malware from the company’s official Android store and subscribed to premium mobile services. Researchers found 10 seemingly harmless applications in AppGallery that contain code that connects to malicious command and control servers to receive configuration and add-ons.
A report by anti-virus vendor Doctor Web pointed out that these malicious applications retain their advertised functions, but the downloaded components allow users to subscribe to advanced mobile services. In order to make users undetectable, the infected application requires access to notifications, which allows them to intercept the confirmation code sent by the subscription service via SMS.
According to the researchers, the malware can subscribe to up to five services for a user, but the threat actor can modify this limit at any time. The list of malicious applications includes virtual keyboards, camera applications, launchers, online messengers, sticker collection, coloring programs, and games.
Most of them are from one developer, and two are from different developers. These ten applications were downloaded by more than 538,000 Huawei users. These apps inform Huawei that the company has deleted these apps from AppGallery.
- Super Keyboard
- Happy Colour
- Fun Color
- New 2021 Keyboard
- Camera MX – Photo Video Camera
- BeautyPlus Camera
- Color RollingIcon
- Funney Meme Emoji
- Happy Tapping
- All-in-One Messenger
The researchers said that the same modules downloaded by the infected application in AppGallery also exist in other applications on Google Play and are used by other versions of Joker malware. The complete list of infected apps is available here.
The history of Joker malware can be traced back to 2017, and its traces are constantly being found in applications distributed through the Google Play store. In October 2019, Kaspersky’s Android malware analyst Tatyana Shishkova posted more than 70 hacked apps on Twitter, and these apps have entered the official store.
And reports of malicious software in Google Play continue to appear. At the beginning of 2020, Google announced that since 2017, about 1,700 apps infected with Joker have been deleted. In February last year, Joker still existed in the store, and even in July last year, it continued to slip away from Google’s defense system.