Malware can cause a lot of trouble, and malicious actors know that too well that Malware-related threats never cease.
According to a report from antivirus maker Doctor Web, more than 500,000 Huawei devices have downloaded malicious apps containing the Joker malware from the company’s official Android store application.
The researchers found ten seemingly harmless apps in Huawei's AppGallery app that contained some malicious codes that subscribe to premium mobile services.
The malicious codes don't alter the apps' advertised functionality, allowing the apps to behave and work like intended. However, the codes inside the apps can connect to a control server to receive malicious commands from the bad actors behind them, in order to receive additional configurations and/or components.
To make victims unware of the malware's existence on their phones, the malicious apps request access to notifications, which allowed them to intercept confirmation codes delivered over SMS by the subscription service.
According to the researchers, the malware could automatically subscribe victims to a maximum of five services, although the threat actor could modify this limitation at any time.
"Android.Joker is relatively old malware family known since the fall of 2019. Doctor Web malware analysts come across new versions and modifications of these trojans almost daily. They were formerly seen most often on the official Android app store―Google Play. The attackers, however, have apparently decided to expand the scale of their activity and shift their attention to alternative catalogs supported by major players on the mobile device market."
The ten apps the researchers found to be malicious, include: virtual keyboards, a camera app, a launcher, an online messenger, a sticker collection, coloring programs, and a game.
Eight of these apps were distributed by the developer Shanxi Kuailaipai Network Technology Co., Ltd., while the other 2 by the developer 何斌.
Once the malicious apps are downloaded and ran, the malware will communicate to its remote server to get the configuration file, which contains a list of tasks, websites for premium services, and JavaScript that mimics user interaction.
Similar to other Android.Joker trojans, the ten apps discovered by Doctor Web were spread under the disguise of harmless apps. But deep inside their codes, they come fully-equipped with multi-component threats capable of executing various tasks depending on the attackers’ needs.
The ten apps have been downloaded by more than 538,000 Huawei users, said the researchers.
Doctor Web said this incident is the "first time" that malware is found on Huawei's AppGallery app store.
Following the findings, the researchers informed Huawei of these apps. Huawei responded by removing all ten apps from the AppGallery.
Just like incidents on Google Play Store, Huawei can only prevent the apps from being downloaded, meaning that Huawei can only prevent the apps to get more users. For those have downloaded and fell as victims, they need to manually remove the apps.
The researchers said that the same modules downloaded by the infected apps in AppGallery, were also present in other apps on Google Play, used by other versions of Joker malware.
