Joker malware infected 538,000 Huawei Android devices

Joker malware infected 538,000 Huawei Android devices

More than 500,000 Huawei users have been infected with the Joker malware after downloading apps from the company’s official Android store.

More than 500,000 Huawei users were infected with the Joker malware after they have downloaded tainted apps from the company’s official Android store.

The fight to the Joker malware (aka Bread) begun in September 2019 when security experts at Google removed from the official Play Store 24 apps because they were infected with a new spyware tracked as “the Joker.

The Joker malware is a malicious code camouflaged as a system app and allows attackers to perform a broad range of malicious operations, including disable the Google Play Protect service, install malicious apps, generate fake reviews, and show ads.

The spyware is able to steal SMS messages, contact lists, and device information and to sign victims up for premium service subscriptions.

Experts from antivirus firm Doctor Web discovered ten apps in AppGallery that were containing the malicious code.

“Doctor Web’s virus analysts have uncovered the first malware on AppGallery―the official app store from the Huawei Android device manufacturer.” reads the post published by Dr. Web. “They turned out to be dangerous Android.Joker trojans that function primarily to subscribe users to premium mobile services. In total, our specialists discovered that 10 modifications of these trojans have found their way onto AppGallery, with more than 538,000 users having installed them.”

Upon downloading and executing the apparently harmless apps, they worked as users would have expected to avoid raising suspicion.

The malicious apps were camouflaged as virtual keyboards, a camera app, a launcher, an online messenger, a sticker collection, coloring programs, and a game. 8 of these apps were developed by Shanxi kuailaipai network technology co., ltd, the remaining 2 by the developer 何斌.

Below the list of apps and packages discovered by the researchers:

Detection name SHA-1 Application name Package name Configuration
Android.Joker.531 2349b2c0238dcc52e072500ea402128de0a216cf Super Keyboard com.nova.superkeyboard hxxps://superkeyboard.oss-ap-southeast-1.aliyuncs.com/
Android.Joker.531 0cfb4dd79fcfda7ecfcab7fd238f9f73ab8543d8 Happy Colour com.colour.syuhgbvcff hxxps://happycolor.oss-ap-northeast-1.aliyuncs.com/
Android.Joker.531 443c73e1ee2cc7c9301ac4dfe14411762689baf5 Fun Color com.funcolor.toucheffects hxxps://funcolortoucheffects.oss-ap-southeast-2.aliyuncs.com/
Android.Joker.531 ddebecf001fd0c7ce03bf4a3eb7b6abe779f0d2d New 2021 Keyboard com.newyear.onekeyboard hxxps://new2021keyboard.oss-ap-south-1.aliyuncs.com/
Android.Joker.594 f1b49a444f554bb942fd8f5a9ff2a212d8db6247 Camera MX – Photo Video Camera com.sdkfj.uhbnji.dsfeff hxxps://cameramx-photovideocamera.oss-cn-wulanchabu.aliyuncs.com/
Android.Joker.594 9dcc00513144612fdfcdb57278b2a54654b996ec BeautyPlus Camera com.beautyplus.excetwa.camera hxxps://beautypluscamera.oss-ap-northeast-1.aliyuncs.com/
Android.Joker.658 3950c89eb27c973dce8c1c0ea3ae30baa0f7544e Color RollingIcon com.hwcolor.jinbao.rollingicon hxxps://colorrollingicon.oss-cn-huhehaote.aliyuncs.com/
Android.Joker.659 9d2337047ca59d1375c898cf7d0361fe56c3576c Funney Meme Emoji com.meme.rouijhhkl hxxp://funneymemeemoji.oss-ap-southeast-5.aliyuncs.com/
Android.Joker.660 57148c6e040fb15723e5ca040740ae8901fd2dae Happy Tapping com.tap.tap.duedd hxxp://happytapping.oss-cn-qingdao.aliyuncs.com/
Android.Joker.662 fb184efe017debc57eba118ab7aee17fd946e1ec All-in-One Messenger com.messenger.sjdoifo hxxps://allinonemessenger.oss-cn-shenzhen.aliyuncs.com/
Joker malware Huawei_AppGallery_01.1

Once the malware is executed it connects to the C&C server to receive the necessary configuration and download and launch one of the additional components. The component automatically subscribed the Android device users to premium mobile services. The apps request access to notifications to intercept incoming SMS from premium services with subscription confirmation codes.

The same apps set the limit on the number of successfully activated premium services for each user. By default, the limit is set to 5, but it can be increased or decreased upon receiving the configuration from the C&C server.

“The downloaded component is responsible for automatically subscribing Android device users to premium mobile services. In addition, the decoy apps request access to notifications that they will later need to intercept incoming SMS from premium services with subscription confirmation codes.” continues the report. “The same apps set the limit on the number of successfully activated premium services for each user. By default, the limit is set to 5, but it can be increased or decreased upon receiving the configuration from the C&C server.”

Doctor Web reported to Huawei its findings, which quickly removed them from AppGallery. Huawei users who have already installed the malicious apps have to manually remove them.

The experts shared a list of indicators of compromise for the above malicious apps.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Huawei apps)




Leave a Reply

Your email address will not be published. Required fields are marked *