Man holding Android phone with Huawei logo in front of the Android logo showing spread of Joker malware

Joker Malware Present On 500,000 Huawei Android Phones Subscribes Users To Premium Mobile Services

Security researchers at Doctor Web discovered malware on Huawei AppGallery Store that subscribes users to premium mobile services without consent. The Android apps were downloaded more than 500,000 times from the Huawei app store.

Huawei runs an independent app distribution site from Google’s Android official store after the company ended support for Huawei devices following U.S. sanctions. The researchers discovered at least ten apps infected with Joker malware targeting Huawei Android phones.

Functional apps infect Huawei Android phones with Joker malware

Doctor Web researchers noted that the malicious apps functioned as advertised but contained hidden functionalities.

They contain codes to connect to a command-and-control server to receive additional instructions, configurations and download additional payloads. The apps also contained JavaScript code to mimic user interaction.

Additionally, the infected apps requested access to notifications, allowing them to intercept SMS subscription codes sent by the premium mobile services.

They could subscribe an individual user to a maximum of five premium mobile services, although the number could be increased.

The malicious apps also upload text messages and contact lists to target more people through the victims’ address book.

The malicious apps included a virtual keyboard, a camera app, a launcher, an online messenger, a game, a sticker collection, and coloring programs. Most of the joker malware-laced apps were linked to a single developer Shanxi Kuailaipai Network Technology Co., Ltd while two were from a different entity.

Top five infected apps include Super Keyboard (com.nova.superkeyboard), Happy Colour (com.colour.syuhgbvcff), Fun Color (com.funcolor.toucheffects), New 2021 Keyboard (com.newyear.onekeyboard), Camera MX – Photo Video Camera (com.sdkfj.uhbnji.dsfeff), and BeautyPlus Camera (com.beautyplus.excetwa.camera). Others were Color RollingIcon (com.hwcolor.jinbao.rollingicon), Funney Meme Emoji (com.meme.rouijhhkl), Happy Tapping (com.tap.tap.duedd), and All-in-One Messenger (com.messenger.sjdoifo).

Problem of malware infecting Android phones

The Russian threat intelligence firm Doctor Web disclosed that the malicious apps in AppGallery contained similar joker malware payloads found in other apps on Google Play Store since 2017. Thus, the problem is not exclusive to Huawei smartphones.

Many Android device users have unwittingly downloaded Joker malware from the official store because the trojan keeps mutating and sneaking past Google’s defenses.

Similarly, Kaspersky Android malware analyst Tatyana Shishkova says more than 70 Joker malware-infected Android apps were present on the official store.

About 17 Joker malware variants targeting various Android phones were detected on Play Store in 2020. Infected apps include PDF scanners, photo collage apps, direct messenger, fonts and emoticons, and Android keyboards.

ZScaler found about 120,000 users downloaded the Joker malware from the official Google android official app store. Consequently, the number of infected Android phones is higher and harder to estimate.

Spread of Joker malware

The discovery of Joker malware on Huawei AppGallery represents attempts by cybercriminals to diversify their malware distribution channels.

Doctor Web firm alerted Huawei of the Joker malware-infected apps and released a list of indicators of compromise.

Although Huawei removed the Joker malware-infected apps from AppGallery, users who downloaded them still have their Android phones compromised. They should, therefore, manually delete the apps to prevent further compromise.

Saryu Nayyar, CEO at Gurucul, says that Joker malware infection “is no joke.”

“And even more depressing, no Dark Knight is going to ride in to save users from these malicious apps,” Nayyar noted.

She added that users should manually clean their Android phones to rid them of the highly prevalent Joker malware. She, however, noted that the damage was reversible because malicious actors’ motives were purely financial.

Contrarily, it is unlikely that the threat actors would only pursue a single avenue to make money from compromised Android users. The huge information treasure trove would be valuable for executing phishing attacks and blackmail.

Researchers found apps infected with Joker #malware which were downloaded more than 500,000 times on Huawei phones. They subscribe users to about 5 premium mobile services. #cybersecurity #respectdataClick to Tweet

“Users who have been subscribed to premium mobile services as a result of this malware can request refunds for said services since the affected applications are known. The real problem sits with Huawei since over 500,000 users will be battling the company for premium service refunds. If only Huawei could send Alfred ‘to the bat cave’ to create a self-refunding app! Then they could have the last laugh…”