Skip to main content

Half a million Huawei Android phones hit by Joker malware

(Image credit: Future)
Audio player loading…

Security researchers have found over 500,000 Huawei smartphone (opens in new tab) users have downloaded applications tainted with the Joker malware (opens in new tab) that unwittingly subscribes users to premium mobile services.

The Joker family of malware has been infecting apps on Google's Play Store (opens in new tab) for the last few years, but this is the first instance of it cropping up on Huawei’s platform. Huawei users are currently unable to access the Google Play Store due to US trade sanctions, and instead use the company's in-house AppGallery (opens in new tab) platform.

"Doctor Web (opens in new tab) malware analysts come across new versions and modifications of these [Joker] trojans almost daily. They were formerly seen most often on the official Android app store―Google Play. The attackers, however, have apparently decided to expand the scale of their activity and shift their attention to alternative catalogs supported by major players on the mobile device market," noted the researchers at antivirus (opens in new tab) company Doctor Web who uncovered the threat..

TechRadar needs yo...

We're looking at how our readers use VPN for a forthcoming in-depth report. We'd love to hear your thoughts in the survey below. It won't take more than 60 seconds of your time.

>> Click here to start the survey in a new window (opens in new tab)<<

Subdued notifications

The researchers found the malware masquerading inside ten seemingly harmless apps in AppGallery. While the apps functioned as advertised, they conducted the unscrupulous activity in the background.

Analysis of the malicious code revealed that once activated inside the app, it would connect to a command and control (C2) server to receive additional configurations and components. These were then used to surreptitiously subscribe users to premium mobile services. 

In order to intercept and respond to any confirmation code delivered via SMS by the subscription service, the infected apps would request access to notifications.

The researchers observed that while the malware in this latest campaign subscribed the users to a maximum of five services, there was nothing that prevented the threat actors from upping this number any time they wished.

A majority of the apps were developed by a single developer, while two came from another one. In all, the researchers note, over half a million copies of the apps were downloaded by the time Huawei removed them from AppGallery after being intimidated by the researchers.

Via: BleepingComputer (opens in new tab)

Mayank Sharma
Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.