More than 500K Huawei Devices Affected by Joker Malware

Huawei mobile devices are the target of the Joker malware, which users were able to download from the AppGallery, affecting around 500,000 devices, reported Bleeping Computer. The malware is embedded in apps that appear to be harmless.

According to researchers, the company’s official Android applications store AppGallery contains ten applications that carry malicious codes that prompt commands and control servers to accept configurations and additional settings.

Antivirus maker Doctor Web explained that the applications function as intended. However, they initiated downloads to components that automatically subscribed users to premium services.

Huawei Devices Affected by Joker Malware

Apps that carry the Joker malware include virtual keyboards, camera apps, an online messenger, a sticker collection, coloring apps, a game, and a launcher. Most are created by Shanxi Kuailaipai Network Technology Co., Ltd, but two are from another developer.

Particularly, the culprits are Super Keyboard, Happy Colour, Fun color, New 2021 Keyboard, Camera MX, BeautyPlus Camera, Color Rollington, Funney Meme Emoji, Happy Tapping, and All-in-One Messenger.

The malicious applications request access to notifications, giving them the ability to catch confirmation codes sent via SMS, stealthily subscribing users to paid services.

The virus can get up to five services in the maximum. However, malicious parties can alter the limit and increase the number of services that the malware can subscribe the users to.

When the anomaly was caught by Doctor Web, the applications have over 538,000 downloads combined, showing that the malware has infected more than 500K mobile devices or users.

It is important to note that the same modules are found in Google Play Store, indicating that there are infected applications on Google Play. These modules are used by other versions of Joker, which has been operating on the AppGallery.

To know if they are infected, users are advised to cross-check the apps’ package names with the SHA-1 and detection names provided by GitHub. The list contains samples from AppGallery and Google Play Store.

This is not the first time that the Joker virus infected mobile devices. It has been active since 2017 in which it operates in Google Play Store. Back then, Tanya Shishkova a researcher at Kaspersky, found more than 70 applications that carry the payload.

Google was able to remove around 1,700 applications that contain Joker in early 2020. The malware remains to be active on the Google Play Store with reports of detection as of February.