Huawei Users Alert — Infecting Joker Malware

Home/Mobile Security, Targeted Attacks/Huawei Users Alert — Infecting Joker Malware

Huawei Users Alert — Infecting Joker Malware

Over 500,000 Huawei Android devices were found to be infected as malicious apps were downloaded from the company’s official Android store.

Joker Malware

Researchers found ten seemingly harmless apps in AppGallery connecting to malicious command and control server to retrieve user data.

Joker malware — a popular kind and can steal users’ SMS messages, contact lists, and device information — known since the fall of 2019..

However, the spyware could receive configurations and additional components and also sign victims up for premium service subscriptions.

The researchers from the antivirus firm Doctor Web discovered ten apps in AppGallery that contains malicious code.

Masked Android Apps

According to report — Doctor Web notes — the malicious apps uncovered on AppGallery ― the official app store from the Huawei Android device manufacturer. 

But downloaded components subscribe users to premium mobile services ― to a maximum of five services, although the threat actor could modify this limitation at any time.

In total, 10 modifications of these trojans have found their way onto AppGallery, and more than 538,000 users having installed them.

In addition, below are the list of malicious applications:

Source – Doctor Web

In addition, most of the applications are from Shanxi Kuailaipai Network Technology Co., Ltd developer and two from a different one.

Attack Flow

First, the malware Android.Joker.242.origin connects to the remote server and requests the configuration.

The configuration request contains a list of tasks with the websites of premium services, JavaScript scripts used to imitate user actions on the targeted websites, as well as other parameters.

In order for the subscription to be successful, the infected device must be connected to mobile Internet.

Android.Joker.242.origin checks the current connection and if it detects an active Wi-Fi connection, it tries to disconnect it.

After each task:

  • firstly, the malicious module creates a non-displayable WebView and sequentially loads the paid website address into each of them
  • secondly, the trojan loads JavaScript
  • retrieves victim’s phone number and the PIN with the confirmation code

At the same time, not only search for the activation codes, but also transmit the contents of all notifications about incoming SMS to the C&C server.

In short, Over 538,000 users have downloaded these malicious apps, according to Dr.Web.

Importantly, once Dr.Web reported to Huawei, they immediately removed them from AppGallery.

Huawei users are recommended to remove the apps manually.

Indicators Of Compromise

However, below are the list of the application name and its package:

Application namePackage name
Super Keyboardcom.nova.superkeyboard
Happy Colourcom.colour.syuhgbvcff
Fun Colorcom.funcolor.toucheffects
New 2021 Keyboardcom.newyear.onekeyboard
Camera MX – Photo Video Cameracom.sdkfj.uhbnji.dsfeff
Color RollingIconcom.hwcolor.jinbao.rollingicon
Funney Meme
Happy Tappingcom.tap.tap.duedd
All-in-One Messengercom.messenger.sjdoifo

Also, visit for more IOC’s

By | 2021-04-12T21:32:55+05:30 April 12th, 2021|Mobile Security, Targeted Attacks|

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!