The Joker malware, known for tricking smartphone users into downloading fake apps and covertly registering them to premium-rate services, recently infiltrated over 500,000 Huawei phones via ten apps using which the malware communicated with a command and control server.
Ever since the United States banned Huawei from featuring the Google Play Store in its smartphones, the Chinese smartphone giant has been using its own Android app store- named AppGallery- to let millions of users download and update their applications.
Recently, security researchers from antivirus firm Doctor Web found that more than half a million Huawei devices were running apps downloaded from Huawei’s AppGallery that camouflaged the Joker malware- a well-known malware that signs up users to premium services without their knowledge or consent.
According to the researchers, the malware’s operators used ten seemingly harmless apps, ranging from a camera app, a virtual keyboard app, a sticker collection app, to a gaming app, to spread the Joker malware to as many as 538,000 Huawei devices where these apps were downloaded.
“Once the malware is launched, users interact with full-fledged applications. However, behind the mask of harmless software, the trojans connect to the C&C server, receive necessary configuration and download one of the additional components, which is then launched. The downloaded component is responsible for automatically subscribing Android device users to premium mobile services,” Doctor Web said.
“In addition, the decoy apps request access to notifications that they will later need to intercept incoming SMS from premium services with subscription confirmation codes. The same apps set the limit on the number of successfully activated premium services for each user. By default, the limit is set to 5, but it can be increased or decreased upon receiving the configuration from the C&C server.”
After it was alerted by the security firm, Huawei hid the malware-laden apps in AppGallery to protect users and said it will conduct additional investigation to minimize the risks of such apps appearing in the future.
The Joker malware has primarily been used to infiltrate Android devices since 2019 through seemingly harmless apps that were added to the Google Play Store with fake functionalities. In January 2020 alone, Google kicked out as many as 1,700 apps from the Play Store that were found hiding the Joker malware. By then, these applications had enjoyed millions of downloads, enabling operators of the malware to victimise a large number of smartphone users with billing fraud campaigns.
According to Google, while earlier versions of Joker, that appeared sometime in 2017, were engaged in carrying out SMS fraud, later versions of the malware (also known as Bread malware) were designed for billing fraud that involved the malware authors using injected clicks, custom HTML parsers, and SMS receivers to automate billing processes without requiring any interaction from the user.
Google added that the developers of Joker malware used just about every cloaking and obfuscation technique under the sun in an attempt to go undetected. Many of the malware’s samples appeared to be designed specifically to attempt to slip into the Play Store undetected and at peak times of activity, Google observed up to 23 different apps from this family submitted to Play in one day.