Over 500,000 Huawei Android devices were found to be infected as malicious apps were downloaded from the company’s official Android store.
Joker Malware
Researchers found ten seemingly harmless apps in AppGallery connecting to malicious command and control server to retrieve user data.
Joker malware — a popular kind and can steal users’ SMS messages, contact lists, and device information — known since the fall of 2019..
However, the spyware could receive configurations and additional components and also sign victims up for premium service subscriptions.
The researchers from the antivirus firm Doctor Web discovered ten apps in AppGallery that contains malicious code.
Masked Android Apps
According to report — Doctor Web notes — the malicious apps uncovered on AppGallery ― the official app store from the Huawei Android device manufacturer.
But downloaded components subscribe users to premium mobile services ― to a maximum of five services, although the threat actor could modify this limitation at any time.
In total, 10 modifications of these trojans have found their way onto AppGallery, and more than 538,000 users having installed them.
In addition, below are the list of malicious applications:
In addition, most of the applications are from Shanxi Kuailaipai Network Technology Co., Ltd developer and two from a different one.
Attack Flow
First, the malware Android.Joker.242.origin connects to the remote server and requests the configuration.
The configuration request contains a list of tasks with the websites of premium services, JavaScript scripts used to imitate user actions on the targeted websites, as well as other parameters.
In order for the subscription to be successful, the infected device must be connected to mobile Internet.
Android.Joker.242.origin checks the current connection and if it detects an active Wi-Fi connection, it tries to disconnect it.
After each task:
- firstly, the malicious module creates a non-displayable WebView and sequentially loads the paid website address into each of them
- secondly, the trojan loads JavaScript
- retrieves victim’s phone number and the PIN with the confirmation code
At the same time, not only search for the activation codes, but also transmit the contents of all notifications about incoming SMS to the C&C server.
In short, Over 538,000 users have downloaded these malicious apps, according to Dr.Web.
Importantly, once Dr.Web reported to Huawei, they immediately removed them from AppGallery.
Huawei users are recommended to remove the apps manually.
Indicators Of Compromise
However, below are the list of the application name and its package:
| Application name | Package name |
| Super Keyboard | com.nova.superkeyboard |
| Happy Colour | com.colour.syuhgbvcff |
| Fun Color | com.funcolor.toucheffects |
| New 2021 Keyboard | com.newyear.onekeyboard |
| Camera MX – Photo Video Camera | com.sdkfj.uhbnji.dsfeff |
| BeautyPlus Camera | com.beautyplus.excetwa.camera |
| Color RollingIcon | com.hwcolor.jinbao.rollingicon |
| Funney Meme Emoji | com.meme.rouijhhkl |
| Happy Tapping | com.tap.tap.duedd |
| All-in-One Messenger | com.messenger.sjdoifo |
Also, visit for more IOC’s
Leave A Comment