Joker malware infected 538,000 Huawei Android devices

More than 500,000 Huawei users have been infected with the Joker malware after downloading apps from the company’s official Android store.

More than 500,000 Huawei users were infected with the Joker malware after they have downloaded tainted apps from the company’s official Android store.

The fight to the Joker malware (aka Bread) begun in September 2019 when security experts at Google removed from the official Play Store 24 apps because they were infected with a new spyware tracked as “the Joker.”

The Joker malware is a malicious code camouflaged as a system app and allows attackers to perform a broad range of malicious operations, including disable the Google Play Protect service, install malicious apps, generate fake reviews, and show ads.

The spyware is able to steal SMS messages, contact lists, and device information and to sign victims up for premium service subscriptions.

Experts from antivirus firm Doctor Web discovered ten apps in AppGallery that were containing the malicious code.

“Doctor Web’s virus analysts have uncovered the first malware on AppGallery―the official app store from the Huawei Android device manufacturer.” reads the post published by Dr. Web. “They turned out to be dangerous Android.Joker trojans that function primarily to subscribe users to premium mobile services. In total, our specialists discovered that 10 modifications of these trojans have found their way onto AppGallery, with more than 538,000 users having installed them.”

Upon downloading and executing the apparently harmless apps, they worked as users would have expected to avoid raising suspicion.

The malicious apps were camouflaged as virtual keyboards, a camera app, a launcher, an online messenger, a sticker collection, coloring programs, and a game. 8 of these apps were developed by Shanxi kuailaipai network technology co., ltd, the remaining 2 by the developer 何斌.

Below the list of apps and packages discovered by the researchers:

Detection name	SHA-1	Application name	Package name	Configuration
Android.Joker.531	2349b2c0238dcc52e072500ea402128de0a216cf	Super Keyboard	com.nova.superkeyboard	hxxps://superkeyboard.oss-ap-southeast-1.aliyuncs.com/
Android.Joker.531	0cfb4dd79fcfda7ecfcab7fd238f9f73ab8543d8	Happy Colour	com.colour.syuhgbvcff	hxxps://happycolor.oss-ap-northeast-1.aliyuncs.com/
Android.Joker.531	443c73e1ee2cc7c9301ac4dfe14411762689baf5	Fun Color	com.funcolor.toucheffects	hxxps://funcolortoucheffects.oss-ap-southeast-2.aliyuncs.com/
Android.Joker.531	ddebecf001fd0c7ce03bf4a3eb7b6abe779f0d2d	New 2021 Keyboard	com.newyear.onekeyboard	hxxps://new2021keyboard.oss-ap-south-1.aliyuncs.com/
Android.Joker.594	f1b49a444f554bb942fd8f5a9ff2a212d8db6247	Camera MX – Photo Video Camera	com.sdkfj.uhbnji.dsfeff	hxxps://cameramx-photovideocamera.oss-cn-wulanchabu.aliyuncs.com/
Android.Joker.594	9dcc00513144612fdfcdb57278b2a54654b996ec	BeautyPlus Camera	com.beautyplus.excetwa.camera	hxxps://beautypluscamera.oss-ap-northeast-1.aliyuncs.com/
Android.Joker.658	3950c89eb27c973dce8c1c0ea3ae30baa0f7544e	Color RollingIcon	com.hwcolor.jinbao.rollingicon	hxxps://colorrollingicon.oss-cn-huhehaote.aliyuncs.com/
Android.Joker.659	9d2337047ca59d1375c898cf7d0361fe56c3576c	Funney Meme Emoji	com.meme.rouijhhkl	hxxp://funneymemeemoji.oss-ap-southeast-5.aliyuncs.com/
Android.Joker.660	57148c6e040fb15723e5ca040740ae8901fd2dae	Happy Tapping	com.tap.tap.duedd	hxxp://happytapping.oss-cn-qingdao.aliyuncs.com/
Android.Joker.662	fb184efe017debc57eba118ab7aee17fd946e1ec	All-in-One Messenger	com.messenger.sjdoifo	hxxps://allinonemessenger.oss-cn-shenzhen.aliyuncs.com/

Once the malware is executed it connects to the C&C server to receive the necessary configuration and download and launch one of the additional components. The component automatically subscribed the Android device users to premium mobile services. The apps request access to notifications to intercept incoming SMS from premium services with subscription confirmation codes.

The same apps set the limit on the number of successfully activated premium services for each user. By default, the limit is set to 5, but it can be increased or decreased upon receiving the configuration from the C&C server.

“The downloaded component is responsible for automatically subscribing Android device users to premium mobile services. In addition, the decoy apps request access to notifications that they will later need to intercept incoming SMS from premium services with subscription confirmation codes.” continues the report. “The same apps set the limit on the number of successfully activated premium services for each user. By default, the limit is set to 5, but it can be increased or decreased upon receiving the configuration from the C&C server.”

Doctor Web reported to Huawei its findings, which quickly removed them from AppGallery. Huawei users who have already installed the malicious apps have to manually remove them.

The experts shared a list of indicators of compromise for the above malicious apps.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Huawei apps)

[adrotate banner=”5″]

[adrotate banner=”13″]