More than 500,000 Huawei users were infected with the Joker malware after they downloaded infected apps from the company’s official Android store.
The Joker malware is a malicious code disguised as a system app and allows attackers to perform various malicious operations which includes disabling the Google Play Protect service, install malicious apps, generate fake reviews, and show ads.
The spyware could steal SMS messages, contact lists, and device information and to sign victims up for premium service subscriptions.
The researchers from the antivirus firm Doctor Web discovered ten apps in AppGallery that contains malicious code.
According to a post published by Dr. Web, their virus analysts have uncovered the first malware on AppGallery―the official app store from the Huawei Android device manufacturer. It was found to be the dangerous Android.Joker trojans that function primarily to subscribe users to premium mobile services. In total, 10 modifications of these trojans have found their way onto AppGallery, and more than 538,000 users having installed them.
After downloading and executing the apps, they worked as expected in order to avoid raising suspicion from the users.
The malicious apps were camouflaged as virtual keyboards, a camera app, a launcher, an online messenger, a sticker collection, coloring programs, and a game. 8 of these apps were developed by Shanxi kuailaipai network technology co., ltd.
After the malware is executed, it gets connected to the C&C server to receive the necessary configuration and download and launch one of the additional components. The component automatically subscribed the Android device users to premium mobile services. The apps request access to notifications to intercept incoming SMS from premium services with subscription confirmation codes.
The same apps set the limit on the number of successfully activated premium services for each user. By default, the limit is set to 5, but it can be increased or decreased upon receiving the configuration from the C&C server.
Doctor Web has reported their findings to Huawei who have immediately removed them from AppGallery. However, the users who have already installed the malicious apps have to manually remove them.